06-01-2021 03:10 AM - edited 06-02-2021 01:13 AM
Hi Team,
I would like to specify few "object-group network" and few "object-group service" and mix them together.
My requirement is to define a rule so that traffic can be allowed to the following set of IPs but to those mentioned ports.
However, I can't couple a object-group network and a object-group service. I get an error that says "Object group type mismatch"
How can I achieve this on Cisco IOS XE ???
object-group network test_servers
host 10.13.3.200
host 10.13.3.90
host 10.13.7.200
host 10.13.3.130
host 10.13.3.213
host 10.13.25.130
!
object-group service test_ports
udp eq 5060
udp eq 5061
!
ASR1000(config)#object-group network test_servers
ASR1000(config-network-group)#group-object test_ports
Object group type mismatch
ASR1000(config-network-group)#
ASR1000(config)#object-group service test_ports
ASR1000(config-service-group)#group-object test_servers
Object group type mismatch
ASR1000(config-service-group)#
Solved! Go to Solution.
06-01-2021 06:33 AM
Ah you are correct, the source port need to be explicitly defined in the object.
In your ACL the service group precedes the subnet elements:
! permit object-group test-ports 192.168.1.1 0.0.0.0 object-group test-servers !
06-01-2021 03:44 AM
Hi there,
You combine the two objects-groups via an ACL, eg:
! ip access-list extended DEMO-ACL permit object-group test-ports object-group test-servers any deny udp any any end !
This would permit UDP traffic from the test-servers group sourced on UDP ports 5060 and 5061 to any destination.
cheers,
Seb.
06-01-2021 04:04 AM
Hi Seb,
Thank you for the reply,
But this brought up few more doubts.
1) The ports defined in the "object-group service", I thought they defined destination ports. There is an option to explicitly define the source ports, but not destination ports. So I thought the "object-group service" defined the destination ports by default. Is this not true?
2) My requirement is to allow traffic from few outside IPs to those IPs / Ports listed above in Object groups.
For example
Outside IPs - 192.168.1.1/ 192.168.100.1 etc.
So what I want is to set a rule as follows.
permit udp host 192.168.1.1 object-group test_servers <and match the ports defined in the object-group service test_ports>
I want to allow traffic from remote IP (192.168.1.1) to my internal IPs (object-group network test_servers) but only via the ports mentioned in object-group service test_ports
Please refer to the attached image
Hope my requirement is clear now!
06-01-2021 06:33 AM
Ah you are correct, the source port need to be explicitly defined in the object.
In your ACL the service group precedes the subnet elements:
! permit object-group test-ports 192.168.1.1 0.0.0.0 object-group test-servers !
06-02-2021 03:35 AM
Excellent. This worked Seb
I have marked your reply as the solution
Cheers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: