Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3451
Views
0
Helpful
8
Replies

ip service object and service group

Go to solution
markus.demmert
Level 1
Level 1

‎05-17-2011 12:39 PM - edited ‎03-11-2019 01:34 PM

Good day to all,

hope someone can help with my isssue.

When I create a service object or group and add the object to a new rule it never works.

I mean the traffic match not the rule. I see not hits.

I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.

my ip service object

object-group service g-as400
 description access client 2 as400 machine
 service-object tcp-udp destination eq 397
 service-object tcp destination eq 137
 service-object tcp destination eq 2001
 service-object tcp destination eq 3000
 service-object tcp destination eq 445
 service-object tcp destination range 446 447
 service-object tcp destination eq 449
 service-object tcp destination eq 5010
 service-object tcp destination eq 5544
 service-object tcp destination eq 5555
 service-object tcp destination range 8470 8476
 service-object tcp destination eq 8480
 service-object tcp destination eq exec
 service-object tcp destination eq netbios-ssn
 service-object tcp destination eq telnet

my rule

access-list FhbTrans_inside extended permit object-group g-as400 192.168.5.0 255.255.255.0 host 172.20.0.14

my asa details

ASA 5510 
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)

Did somebody already have this problem?  Many thanks for feedback!

Markus

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pavel Pokorny
Level 1
Level 1

‎05-17-2011 01:06 PM

Hi,

https://supportforums.cisco.com/message/3353341

Are the symptoms the same?

Pavel

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Pavel Pokorny
Level 1
Level 1

‎05-17-2011 01:06 PM

Hi,

https://supportforums.cisco.com/message/3353341

Are the symptoms the same?

Pavel

0 Helpful

Go to solution
markus.demmert
Level 1
Level 1
In response to Pavel Pokorny

‎05-17-2011 01:30 PM

Hi Pavel,

you correct. I see the hits in the console. But not the msg out of sync under firewall dashboard.

Markus

0 Helpful

Go to solution
Pavel Pokorny
Level 1
Level 1
In response to markus.demmert

‎05-17-2011 01:33 PM

Hi,

Then I suggest the same - open TAC case and let Cisco repair ASDM, or explain reason, why there is big zero in ASDM.

;-).

Regards

Pavel

0 Helpful

Go to solution
markus.demmert
Level 1
Level 1
In response to Pavel Pokorny

‎05-17-2011 01:39 PM

many thanks Pavel,


will do this.

Markus

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎05-17-2011 01:17 PM

Hi,

Can you run a packet tracer like this?

packet-tracer input tcp 192.168.5.2 1025  host 172.20.0.14 397

Paste the output here.

Mike

Mike
0 Helpful

Go to solution
markus.demmert
Level 1
Level 1
In response to Maykol Rojas

‎05-17-2011 01:38 PM

Hi,

here is the output....seems ok for me.

fw-deham-1/act/pri# packet-tracer input FhbTrans_inside tcp 192.168.5.2 1025 ?

  A.B.C.D  Enter the destination ipv4 address
fw-deham-1/act/pri# packet-tracer input FhbTrans_inside tcp 192.168.5.2 1025 1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         FhbTrans_outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FhbTrans_inside in interface FhbTrans_inside
access-list FhbTrans_inside extended permit object-group g-as400 192.168.5.0 255.255.255.0 host 172.20.0.14 log
object-group service g-as400
 description: access client 2 as400 machine
 service-object tcp-udp destination eq 397
 service-object tcp destination eq 137
 service-object tcp destination eq 2001
 service-object tcp destination eq 3000
 service-object tcp destination eq 445
 service-object tcp destination range 446 447
 service-object tcp destination eq 449
 service-object tcp destination eq 5010
 service-object tcp destination eq 5544
 service-object tcp destination eq 5555
 service-object tcp destination range 8470 8476
 service-object tcp destination eq 8480
 service-object tcp destination eq exec
 service-object tcp destination eq netbios-ssn
 service-object tcp destination eq telnet
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 573563, packet dispatched to next module

Result:
input-interface: FhbTrans_inside
input-status: up
input-line-status: up
output-interface: FhbTrans_outside
output-status: up
output-line-status: up
Action: allow

Markus

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to markus.demmert

‎05-17-2011 01:46 PM

Thats what I needed, here is the bug ID CSCtl99214

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl99214

Hope it helps.

Mike

Mike
0 Helpful

Go to solution
markus.demmert
Level 1
Level 1
In response to Maykol Rojas

‎05-17-2011 02:10 PM

Thanks for the link. But where I can download the fix. I dont found it in the download area.

Markus

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card