Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4917
Views
10
Helpful
2
Replies

what is "object-group service DM_INLINE_TCP_5"

Go to solution
SteveSmo1
Level 1
Level 1

‎12-01-2014 01:53 PM - edited ‎03-11-2019 10:10 PM

Greetings-

I'm troubleshooting a connectivity issue to a web server in my DMZ. I'm comparing packet tracer output to that of my mail server as it's also in the DMZ and on the same subnet. The only difference I notice between the output of running packet tracer against each IP address is my web server shows this:

## access-list Outside_access_in extended permit tcp any object Server_Lync_rProxy object-group DM_INLINE_TCP_5

while my mail server shows this:

## access-list Outside_access_in extended permit tcp any object Server_ExMail object-group DM_INLINE_TCP_2. My question is what is the object-group service DM_INLINE_TCP_5? Or DM_INLINE_TCP_2

<!--break-->

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-01-2014 07:35 PM

When someone builds the access-list entries using ASDM and just relies on the graphical interface to show them what's in the allowed addresses or services, the tool (the "device manager" or "DM") creates object-groups dynamically to translate that graphical representation into configuration text the ASA can parse. The "proper" way to do this is to create named object groups that can be more easily understood by someone whether they are seeing it in the GUI or in the cli.

If you type "show run object-group" at the cli, you will get a listing of the configuration sections that define the object groups and shows you what they consist of.

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-01-2014 07:35 PM

When someone builds the access-list entries using ASDM and just relies on the graphical interface to show them what's in the allowed addresses or services, the tool (the "device manager" or "DM") creates object-groups dynamically to translate that graphical representation into configuration text the ASA can parse. The "proper" way to do this is to create named object groups that can be more easily understood by someone whether they are seeing it in the GUI or in the cli.

If you type "show run object-group" at the cli, you will get a listing of the configuration sections that define the object groups and shows you what they consist of.

Go to solution
Preston Kilburn
Level 1
Level 1
In response to Marvin Rhoads

‎12-02-2014 03:20 PM

For this reason, I always create the groups and objects manually instead of creating them on the fly.  Better yet, if you have the skills, create them via CLI.  Nothing is more confusing than troubleshooting something like a busy firewall or FWSM and getting to stupid stuff like DM_INLINE_433.  That's when your head explodes...

 

Just my .02 :)

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card