12-01-2014 01:53 PM - edited 03-11-2019 10:10 PM
Greetings-
I'm troubleshooting a connectivity issue to a web server in my DMZ. I'm comparing packet tracer output to that of my mail server as it's also in the DMZ and on the same subnet. The only difference I notice between the output of running packet tracer against each IP address is my web server shows this:
## access-list Outside_access_in extended permit tcp any object Server_Lync_rProxy object-group DM_INLINE_TCP_5
while my mail server shows this:
## access-list Outside_access_in extended permit tcp any object Server_ExMail object-group DM_INLINE_TCP_2. My question is what is the object-group service DM_INLINE_TCP_5? Or DM_INLINE_TCP_2
<!--break-->
Solved! Go to Solution.
12-01-2014 07:35 PM
When someone builds the access-list entries using ASDM and just relies on the graphical interface to show them what's in the allowed addresses or services, the tool (the "device manager" or "DM") creates object-groups dynamically to translate that graphical representation into configuration text the ASA can parse. The "proper" way to do this is to create named object groups that can be more easily understood by someone whether they are seeing it in the GUI or in the cli.
If you type "show run object-group" at the cli, you will get a listing of the configuration sections that define the object groups and shows you what they consist of.
12-01-2014 07:35 PM
When someone builds the access-list entries using ASDM and just relies on the graphical interface to show them what's in the allowed addresses or services, the tool (the "device manager" or "DM") creates object-groups dynamically to translate that graphical representation into configuration text the ASA can parse. The "proper" way to do this is to create named object groups that can be more easily understood by someone whether they are seeing it in the GUI or in the cli.
If you type "show run object-group" at the cli, you will get a listing of the configuration sections that define the object groups and shows you what they consist of.
12-02-2014 03:20 PM
For this reason, I always create the groups and objects manually instead of creating them on the fly. Better yet, if you have the skills, create them via CLI. Nothing is more confusing than troubleshooting something like a busy firewall or FWSM and getting to stupid stuff like DM_INLINE_433. That's when your head explodes...
Just my .02 :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide