Unable to add object-group to acl

rakyomin78 · ‎07-02-2011

Hi,

I have encountered a problem which puzzles me.

Here are my object-groups:

object-group network fserve

network-object host fserve-active

network-object host fserve-standby

object-group service fserve-services

service-object tcp eq www

service-object tcp eq ftp

object-group icmp-type test-connection

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group network dmz-hosts

group-object fserve

object-group service dmz-services

group-object fserve-services

object-group network inside-hosts

description define inside hosts

network-object 172.16.0.0 255.255.0.0

object-group protocol dmz-ports

protocol-object tcp

I am trying to add in a service object group but asa refuses and said it was an error. Here's what I type:

access-list pub->dmz extended permit object-group dmz-ports any object-group dmz-hosts object-group dmz-services

Here's what ASA said:

ERROR: specified object group <dmz-services> has wrong type; expecting service type

I would like to know what have gone wrong...dmz-services is indeed service object-group but asa refused to accept it.

Thanks.

haivrajesh · ‎07-02-2011

You have to mention group-object fserver-services >> what and all included this need to add in to same then only work.

Rajeswar

rakyomin78 · ‎07-02-2011

Thank you for your reply, but sorry I do not understand what you mean.

If you mean dmz-services did not include group-object fserve-services, then look again at the object group config.

object-group service dmz-services

group-object fserve-services

rakyomin78 · ‎07-02-2011

I have fixed the problem.