My goal is to be able to edit firewall exceptions "on the fly" and without having to hack an ACL. I have created a service object-group that contains exceptions to the firewall, however when I apply this object-group to the firewall ACL, it opens up the ACL entirely!
What am I doing wrong with this configuration? Thanks very much for any insight you can provide!
Cisco 871 running c870-advsecurityk9-mz.124-22.T.bin. Here are the configs:
ip access-list extended FIREWALL
permit object-group FIREWALL-EXCEPTIONS any any log
permit udp any eq bootps any eq bootpc
deny ip any any
object-group service FIREWALL-EXCEPTIONS
description <<< specific ports allowed through the firewall >>>
tcp eq 443
tcp eq 25
tcp eq 80
interface FastEthernet4
ip dhcp client client-id FastEthernet4
ip address dhcp
ip access-group FIREWALL in
ip access-group WAN-EGRESS-FILTER out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat outside
ip inspect INSPECT-FIREWALL out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
arp timeout 600
