10-08-2003 10:06 PM - edited 03-09-2019 05:05 AM
I need to ping a set of remote hosts to determine connectivity. I want to use object-groups to limit the number of commands used. I have the ICMP group set for echo-reply, source-quench, unreachable, and time-exceeded. I also have a network object group set up for the 5 remote hosts to be pinged. However, I am having trouble incorporating these object-groups into the static and Access-list commands in any way that allows the ping set back in the PIX. What could be going wrong?
10-09-2003 09:51 PM
Hi,
Can you please show what and how object groups are you using. You can't include object groups in static.
You can only do it in access-lists. What is the trouble you are having? What IOS code is it?
Thanks
Nadeem
10-10-2003 03:57 AM
I'm just not getting the replies, and the network is up. (By the way, would it complicate matters if this was through a VPN tunnel? It is. However, my users are getting their traffic through the tunnel and I can see that it is up and running.)
Yes, I have been finding this out about the static command the hard way. But, I thought (and was taught) that you could substitute object-groups anywhere that the individual service, protocol, or network address could go?
The IP addresses have been changed for security reasons (and are random out of my head.)
What you see below are some command sets that I have tried at various times.
**********************************************
Static (inside,outside) interface 192.16.1.5 netmask 255.255.255.0 0 0
object-group icmp-type echo
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
object-group network ping
network-object server 255.255.255.255
network-object 172.168.1.2 255.255.255.255
network-object 172.168.3.2 255.255.255.255
access-list 101 permit icmp object-group ping any
access-list 102 permit icmp object-group ping interface outside object-group echo
*******************************
Thanks for your assistance in advance!
10-10-2003 09:42 AM
You meant to have something like this
Static (inside,outside) interface 192.16.1.5 netmask 255.255.255.0 0 0
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
object-group network mydestination
network-object server 255.255.255.255
network-object 172.168.1.2 255.255.255.255
network-object 172.168.3.2 255.255.255.255
access-list 101 permit icmp object-group mydestination any icmp-allowed
access-group 101 in interface outside
Thanks
Nadeem
10-10-2003 10:24 AM
I am trying to learn object grouping, too. shouldn't the acl be
access-list 101 permit icmp object-group mydestination any object-group icmp-allowed
10-10-2003 10:40 AM
Hi,
Yes, you are right, sorry I missed the syntax in the access-list
Thanks
Nadeem
10-11-2003 11:24 AM
So it looks as though the access-list statement is where I am in error. Please tell me if I am reading this correctly..."access-list 101 permit icmp object-group mydestination any object-group icmp-allowed" translates to "permit icmp from mydestination to icmp-allowed", correct? What is the 'any' in there do? It looks out of place to me, since I have the source and destination in there already. Also, why can't I use Object-grouping in the Static command for network and protocols?
Thanks in advance,
Steve
10-11-2003 09:29 PM
Hi,
icmp-allowed is the type of icmp to be allowed, e.g. echo-reply etc.
NO, it doesnot translate to this. It translates to
"permit icmp from mydestination to *ANY* but only these icmp-types are allowd."
I dont have answer for why can't we use object-grouping in static. My best guess is that, usually statics are based on IPs to IPs, with some continutity in the IP addresses. so that it can be summarized. If you make Object Group for static you may put discontiguous IP addresses in it. etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide