cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
0
Helpful
4
Replies

object-group ACL issues

Hi all,

 

I am currently building an object-group based ACL for use on my Internet-facing router (A Cisco 897VA-K9 running IOS 15.3-3.M5)

 

I have defined my object-groups and created an ACL entry for them but it appears traffic which matches the objects in the object-group is still being blocked. I feel like i'm doing something wrong!

 

Here's my config (cut down to only show relevant sections):

 

object-group service MerakiPorts

 udp eq 7351

 udp eq 1812

 tcp eq 7734

 tcp eq 7752

!

object-group network MerakiServers

 host 54.193.207.248

 host 64.62.142.12

 host 64.62.142.2

 185.17.255.128 255.255.255.128

 185.92.120.0 255.255.255.128

 199.231.78.0 255.255.255.0

 50.115.86.96 255.255.255.224

!

object-group service PSNPorts

 udp eq 3478

 udp eq 3479

 udp eq 3658

 udp eq 10070

!

!

!

interface Dialer0

ip access-group outside-in in

 

!

!

!

ip access-list extended outside-in

 remark ***INBOUND from Internet***

 remark ---General web---

 permit tcp any any established

 permit udp host 208.67.222.222 eq domain any

 permit udp host 8.8.8.8 eq domain any

 permit udp any eq ntp any

 remark ---PING---

 permit icmp any any echo-reply

 permit icmp any any traceroute

 remark ---PS4---

  remark >>>General PSN<<<

 permit object-group PSNPorts any any

 remark ---Synology---

 remark >>>BitTorrent<<<

 permit tcp any any eq 51413

 permit udp any any eq 51413

 remark >>>PlexServer<<<

 permit tcp any any eq 32400

 remark >>>WakeOnLAN<<<

 permit udp any any eq echo

 remark ---Meraki management---

 permit object-group MerakiPorts object-group MerakiServers any log-input

 deny   ip any any log-input

 

 

 

...And i'm seeing the following logs:

 

Oct  8 17:07:15.699: %SEC-6-IPACCESSLOGP: list outside-in denied udp 185.17.255.157(7351) (Dialer0 ) -> <my_ip>(46468), 1 packet

Oct  8 17:07:54.752: %SEC-6-IPACCESSLOGP: list outside-in denied udp 64.62.142.12(7351) (Dialer0 ) -> <my_ip>(45313), 7 packets

Oct  8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 185.17.255.157(7351) (Dialer0 ) -> <my_ip>(46750), 7 packets

Oct  8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 50.115.86.110(7351) (Dialer0 ) -> <my_ip>(44254), 50 packets

Oct  8 17:09:54.754: %SEC-6-IPACCESSLOGP: list outside-in denied udp 54.193.207.248(7351) (Dialer0 ) -> <my_ip>(42183), 8 packets

 

 

Any ideas would be greatly appreciated.

Cheers

4 Replies 4

Hi, can you share the 

sh object-groups and sh access-list outside-in

just to see what it looks like

thanks

Richard

To my knowledge, putting the service object group into the protocol field of the ACE only filters on the destination. But the denied traffic in your log is return-traffic for sessions that are originated in your network.

The easiest would be to handle return traffic by activating a statefull inspection like the following:

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
!
interface dialer 0
 ip inspect FW out

This is an old message thread and it might have been solved already in which case I apologize for the late entry.

It appears to me that the permit line is scrambled.  Shouldn't it be

permit object-group MerakiServers object-group MerakiPorts any log-input

rather than

permit object-group MerakiPorts object-group MerakiServers any log-input

In other words, IP addresses before ports rather than after?

No, the object-group with the services is located correctly where normally the protocol is specified. That is correct.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco