Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
5
Helpful
3
Replies

Help with ACL object-group expansion

lonelyadmin
Level 1
Level 1

‎05-03-2019 01:08 PM - edited ‎05-03-2019 01:40 PM

I'm having trouble on an outbound vlan access map. I'm trying to get it to allow packets from 192.168.20.20 tcp/445 but the only way I can do it is manually entering the "expanded" version of the command.

 

object-group service cifs 
 description smb/cifs ports
 icmp echo
 tcp eq 139
 tcp eq 445
 udp eq netbios-ns
 udp eq netbios-dgm
 icmp echo-reply
 icmp traceroute
!
object-group network SERVER
host 192.168.20.20
!

When I reference those using:

...
 permit object-group cifs any object-group SERVER any
...
sh ip access-list FOO expanded
...
6 permit icmp host 192.168.20.20  any echo log
7 permit tcp host 192.168.20.20  any eq 139 log
8 permit tcp host 192.168.20.20  any eq 445 log
9 permit udp host 192.168.20.20  any eq netbios-ns log
10 permit udp host 192.168.20.20  any eq netbios-dgm log
11 permit icmp host 192.168.20.20  any echo-reply log
12 permit icmp host 192.168.20.20  any traceroute log

Only focusing on 445...the above defines any packet from 192.168.20.20 from any tcp port to dst tcp 445)

 

What I need it to expand to is:

(any packet from 192.168.20.20 from tcp 445 to any dst host any dst port)

permit tcp host 192.168.20.20 eq 445 any log <-- manually entering this works

 

So, how can I use service and network object groups to achieve the (permit tcp host 192.168.20.20 eq 445 any log) format for all of the services in the service group?

 

I'm quite possibly just doing it wrong :)

 

 

EDIT

I might have found it.

I think by creating a new service group using "source" rather than "eq" it expands how I intended. I was hoping to use same object group for each way (IN/OUT) but whatever.

object-group service cifs-src
tcp source eq 445
tcp source eq 139
udp source eq netbios-ns
udp source eq netbios-dgm
!

 

Labels:
0 Helpful
3 Replies 3

lonelyadmin
Level 1
Level 1

‎05-03-2019 01:09 PM

...I tried removing icmp so that the group would only be IP, no luck
0 Helpful

Meheretab Mengistu
Level 7
Level 7
In response to lonelyadmin

‎05-03-2019 01:47 PM


Hi @lonelyadmin,

...
permit object-group cifs object-group SERVER any
...

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎05-03-2019 01:39 PM

check the below guide and example end of document : 

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

 

if still have issue, pelase post full configuration to have look.

 

Note : please do mentioned what is the device, what is IOS version you using also.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card