cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

290
Views
5
Helpful
3
Replies
Beginner

Help with ACL object-group expansion

I'm having trouble on an outbound vlan access map. I'm trying to get it to allow packets from 192.168.20.20 tcp/445 but the only way I can do it is manually entering the "expanded" version of the command.

 

object-group service cifs 
 description smb/cifs ports
 icmp echo
 tcp eq 139
 tcp eq 445
 udp eq netbios-ns
 udp eq netbios-dgm
 icmp echo-reply
 icmp traceroute
!
object-group network SERVER
host 192.168.20.20
!

When I reference those using:

...
 permit object-group cifs any object-group SERVER any
...
sh ip access-list FOO expanded
...
6 permit icmp host 192.168.20.20  any echo log
7 permit tcp host 192.168.20.20  any eq 139 log
8 permit tcp host 192.168.20.20  any eq 445 log
9 permit udp host 192.168.20.20  any eq netbios-ns log
10 permit udp host 192.168.20.20  any eq netbios-dgm log
11 permit icmp host 192.168.20.20  any echo-reply log
12 permit icmp host 192.168.20.20  any traceroute log

Only focusing on 445...the above defines any packet from 192.168.20.20 from any tcp port to dst tcp 445)

 

What I need it to expand to is:

(any packet from 192.168.20.20 from tcp 445 to any dst host any dst port)

permit tcp host 192.168.20.20 eq 445 any log <-- manually entering this works

 

So, how can I use service and network object groups to achieve the (permit tcp host 192.168.20.20 eq 445 any log) format for all of the services in the service group?

 

I'm quite possibly just doing it wrong :)

 

 

EDIT

I might have found it.

I think by creating a new service group using "source" rather than "eq" it expands how I intended. I was hoping to use same object group for each way (IN/OUT) but whatever.

object-group service cifs-src
tcp source eq 445
tcp source eq 139
udp source eq netbios-ns
udp source eq netbios-dgm
!

 

Everyone's tags (3)
3 REPLIES 3
Beginner

Re: Help with ACL object-group expansion

...I tried removing icmp so that the group would only be IP, no luck
Highlighted

Re: Help with ACL object-group expansion


Hi @lonelyadmin,

...
permit object-group cifs object-group SERVER any
...

HTH,
Meheretab
VIP Advisor

Re: Help with ACL object-group expansion

check the below guide and example end of document : 

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

 

if still have issue, pelase post full configuration to have look.

 

Note : please do mentioned what is the device, what is IOS version you using also.

BB
*** Rate All Helpful Responses ***
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards