Re: object-group acls

simmo · ‎08-29-2011

Hi,

looking at the object-group based acls, and I can't quite understand how to configure destination ports properly.

for example, i want to permit ssh through an interface....

in the old days this would be

access-list 123 permit tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 22

the object-group syntax seems to be

permit 'service object-group' 'source address object-group' destination address object-group'

so how can i restrict the ssh traffic to the destination object-group only? Does the 'service object-group apply to the source or destination addresses or both?

I was expecting something like this:

permit tcp object-group SOURCE object-group DEST object-group SSH

where the object groups are source address ranges, destination address ranges and destination ports.

Cheers, Simmo.

mirober2 · ‎09-01-2011

Hi Simmo,

The syntax would look like this:

object-group service ssh-og tcp

port-object eq ssh

!

access-list ssh-acl permit tcp 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 object-group ssh-og

Since the object-group comes after the destination IP address, this only applies to the destination port.

The object-group that comes after the 'permit' keyword would be used for an 'object-group protocol' rather than an 'object-group service'.

Hope that helps.

-Mike