Ip access object groups not working

David Lee · ‎10-13-2014

Hello all,

I have a Cisco 2901 router running 15.3 (M3) that I am trying to setup a basic firewall on. I want to remote console into computers from only certain IP addresses. I've created the objects and rules below and applied then to the subinterface, but when I do that it cuts off all data from the subinterface. There are a lot more rules, but I just cut it down so I can figure out where I went wrong. Basiclly, I want anyone on the 192.168 subnet to be able to VNC, or RDP into a machine on the 10.100 network. I'm hoping someone can point out where I went wrong. Thanks in advance.

object-group network GG-Internal
192.168.0.0 255.255.0.0

object-group network GG-CDE
10.100.0.0 255.255.0.0

object-group service RemoteConsole
tcp eq 3389
tcp eq 5900
tcp eq 5902

ip access-list extended CDE-IN-V1
permit object-group RemoteConsole object-group GG-CDE object-group GG-Internal

ip access-list extended CDE-OUT-V1
permit object-group RemoteConsole object-group GG-Internal object-group GG-CDE

interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 10.100.3.252 255.255.255.0
ip policy route-map clear-df
service-policy input INGRESS_MARKING
ip access-group CDE-IN-V1 in
ip access-group CDE-OUT-V1 out

Pedro Lereno · ‎10-15-2014

Hi,

Try the following configuration:

ip access-list extended CDE-IN-V1
permit tcp object-group GG-CDE object-group RemoteConsole object-group GG-Internal

// from servers tcp ports vnc/rdp to clients

ip access-list extended CDE-OUT-V1
permit tcp object-group GG-Internal object-group GG-CDE object-group RemoteConsole

//from clients to servers on tcp ports rdp/vnc

I hope this will help.

Best Regards,

Pedro Lereno