Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2178
Views
0
Helpful
3
Replies

Having issue with ACL confuration

Go to solution
Mohammad Rahman
Level 1
Level 1

‎12-12-2019 12:23 PM

I am having the issue with following below configuration and getting error. Please help me solve the issue.

 

object-group network LERAPID7_Console
network-object host 192.168.2.80

object-group network LMRAPID7_Console
network-object host 192.168.2.81


object-group network RAPID7_CONSOLE
group-object LERAPID7_Console
group-object LMRAPID7_Console

object-group service Rapid7-Management
service-object tcp destination eq 3750
service-object tcp destination eq 40814
service-object tcp destination eq https

access-list global-access extended permit tcp object-group any object-group RRAPID7_CONSOLE object-group Rapid7-Management

ERROR: specified object-group (Rapid7_Management) has wrong type; expecting service type

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-12-2019 09:52 PM

Hi Mohammad-

The CLI is rejecting the syntax because your object-group already specifies the protocol type (TCP) and your access-list is also calling out for the "TCP." If you already have the protocol defined your object group then you don't need it in your Access Control List Entry. The thread below explains pretty well and it includes an example that you can follow:

https://community.cisco.com/t5/firewalls/unable-to-create-acl-with-object-group-for-service-port/td-p/2716499

Thank you for rating helpful posts!

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-12-2019 09:52 PM

Hi Mohammad-

The CLI is rejecting the syntax because your object-group already specifies the protocol type (TCP) and your access-list is also calling out for the "TCP." If you already have the protocol defined your object group then you don't need it in your Access Control List Entry. The thread below explains pretty well and it includes an example that you can follow:

https://community.cisco.com/t5/firewalls/unable-to-create-acl-with-object-group-for-service-port/td-p/2716499

Thank you for rating helpful posts!

 

0 Helpful

Go to solution
Mohammad Rahman
Level 1
Level 1
In response to nspasov

‎12-13-2019 07:05 AM

Thank you nspasov  for your quick answer. I got that solved but I changed my configuration as below. When I browse using the port number 3780, show access-list showing 0 hitting. Please help me solve this issue then I will be done with my project.

 

object-group network Rapid7_Server
network-group host 192.168.2.2

object-group network Outside_Host
network-group host 192.168.1.165

object-group service Rapid7_MGMT tcp
port-object eq 3780
port-object eq https
access-list global-access extended permit tcp object-group Outside_Host object-group Rapid7_Server object-group Rapid7_MGMT

access-list global-access line 1 extended permit tcp object-group Outside_Host object-group Rapid7_Server object-group Rapid7_MGMT (hitcnt=0) 0x80fcc2fc
access-list global-access line 1 extended permit tcp host 192.168.1.165 host 192.168.2.2 eq 3780 (hitcnt=0) 0x5ff3d781
access-list global-access line 1 extended permit tcp host 192.168.1.165 host 192.168.2.2 eq https (hitcnt=0) 0x5025c4b8

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Mohammad Rahman

‎12-14-2019 04:41 PM

It is hard to tell why your ACEs are not getting any hits without knowing the test methodology that you used. A simple/quick test is to use the "packet-tracer" command. Can you run that and post the output and also check if the ACEs are getting a hit after running the command? The packet-tracer command actually generates real traffic so you should see the hit count increase. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card