キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 
cancel
749
閲覧回数
0
いいね!
1
返信

object-group acls

simmo
Level 1
Level 1

Hi,

looking at the object-group based acls, and I can't quite understand how to configure destination ports properly.

for example, i want to permit ssh through an interface....

in the old days this would be

access-list 123 permit tcp 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 22

the object-group syntax seems to be

permit 'service object-group' 'source address object-group' destination address object-group'

so how can i restrict the ssh traffic to the destination object-group only? Does the 'service object-group apply to the source or destination addresses or both?

I was expecting something like this:

permit tcp object-group SOURCE object-group DEST object-group SSH

where the object groups are source address ranges, destination address ranges and destination ports.

Cheers, Simmo.

1件の返信1

mirober2
Cisco Employee
Cisco Employee

Hi Simmo,

The syntax would look like this:

object-group service ssh-og tcp

     port-object eq ssh

!

access-list ssh-acl permit tcp 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 object-group ssh-og

Since the object-group comes after the destination IP address, this only applies to the destination port.

The object-group that comes after the 'permit' keyword would be used for an 'object-group protocol' rather than an 'object-group service'.

Hope that helps.

-Mike