cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

798
Views
5
Helpful
0
Replies
Stephen Craven
Enthusiast

IOS ACL Using Service Object Group and TCP Flags

Under vanilla IOS, is it possible to use both TCP flags (established, syn, rst, etc.) and service object groups?

 

For example, I can create an ACL that only allows return traffic from established Telnet and SSH connections:

ip access-list extended DEMO-TCP

 permit tcp host 1.1.1.1 eq 22 host 2.2.2.2 established

 permit tcp host 1.1.1.1 eq 23 host 2.2.2.2 established

 

And I can create a single object group for the two TCP protocols to reduce the ACL into one line:

object-group service TCP-PORTS

 tcp source 22

 tcp source 23

ip access-list extended DEMO-TCP

 permit object-group TCP-PORTS host 1.1.1.1 host 2.2.2.2

 

But when I use a service object-group in an ACL I lose the TCP flag options at the end:

LABB-RA1(config-ext-nacl)#$ect-group TCP-PORTS host 1.1.1.1 host 2.2.2.2 ?
dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
<cr> <cr>

0 REPLIES 0
Create
Recognize Your Peers
Content for Community-Ad