Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1643
Views
0
Helpful
2
Replies

Network and Service object groups not working in extended ACL

joseramada
Level 1
Level 1

‎11-12-2020 08:59 AM

Hello all.

 

I've been facing a strange problem with network and service object groups so I decided to post it here to get some help.

I am trying to use the network and service object groups in an extended ACL applied to a Vlan, in a Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version 15.2(4)E9, RELEASE SOFTWARE (fc2).

 

I create an object group with a private class C network (ex: 192.168.15.0 255.255.255.0) and then I try to use it to deny icmp packets at the top of the ACL. Configuration is:

    Network object group stop_icmp
      192.168.15.0 255.255.255.0

    Extended IP access list ACL-TEST-OUT

      10 deny icmp object-group stop_icmp any
      20 permit ip any any (44 estimate matches)

 

If use the object group "stop_icmp" in the ACL, no ping (from any network) is allowed. If I use the "192.168.15.0 0.0.0.255" instead of "object group stop_icmp" the ACL works as expected (it only stops pings from the 192.168.15.0/24 network).

 

I've also tried the service object group. I've created a service group to stop ssh and http.

    Service object group stop_services
       tcp eq 22
       tcp eq 80

    Extended IP access list ACL-TEST-OUT

      10 deny object-group stop_services any any
      20 permit ip any any (62 estimate matches)

 

The deny rule simply doesn't work. SSH and HTTP pass just fine. If I replace "deny object_group stop_services any any" with "deny tcp any any eq 22" and "deny tcp any any eq 80" the two protocols are denied.

 

Is there no support for network and service object groups in this equipment or IOS release?

 

Regards,

Jose

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎11-12-2020 09:57 AM

This is strange one. Under object config, if you use ? after the subnet,
does it say netmask or wildcard?

I am using 4500 and I know it uses netmask but want to confirm it with your
case.

**** please remember to rate useful posts
0 Helpful

joseramada
Level 1
Level 1
In response to Mohammed al Baqari

‎11-12-2020 10:14 AM

In my case it is network mask. Like I've posted above in the "Network object group stop_icmp".

 

switch(config-network-group)#192.168.15.0 ?
/nn or A.B.C.D Network mask

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card