Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
4
Replies

Help with object groups and ACL

Andy White
Level 3
Level 3

‎03-26-2013 07:25 AM - edited ‎03-07-2019 12:29 PM

Hello,

I'm trying to use object groups as I can see this access list is going to grow so it will be easier to add to the groups, but I can't add the acl.  I've create the network and service groups.

access-list 123 permit tcp host 10.10.1.66 eq 601 10.15.10.0 0.0.0.255

object-group network servers1

host 216.58.233.70

host 212.84.71.166

!

object-group service servers1_Ports

tcp eq www

tcp eq 443

ip access-list extended 123

131 permit tcp object-group servers1 object-group servers1_Ports 10.15.10.0 0.0.0.255

Error

131 permit tcp object-group servers1 object-group servers1_Ports 10.15.10.0

                                                             ^ 0.0.0.255

What am I doing wrong?

Thanks

Labels:
0 Helpful
4 Replies 4

blau grana
Level 7
Level 7

‎03-26-2013 07:44 AM

Hello Andy,

Try to first specify service object-group, than network object-group ->

ip access-list extended 123

131 permit tcp object-group servers1_Ports object-group servers1 10.15.10.0 0.0.0.255

(config-ext-nacl)#permit ?

  object-group  Service object group

(config-ext-nacl)#permit object-group TEST ?

  object-group  Source network object group

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

Andy White
Level 3
Level 3
In response to blau grana

‎03-26-2013 07:57 AM

Hi,

It seems to want the network group first:

#131 permit tcp object-group ?

  WORD  Source network object group name

0 Helpful

Andy White
Level 3
Level 3
In response to Andy White

‎03-26-2013 07:59 AM

Ah I see:

131 permit ?

object-group  Service object group

0 Helpful

blau grana
Level 7
Level 7
In response to Andy White

‎03-26-2013 08:14 AM

I see where is problem.

This is your original configuration.

ip access-list extended 123

131 permit tcp object-group servers1 object-group servers1_Ports 10.15.10.0 0.0.0.255

But if you specify protocol "131 permit tcp" you can not use service object-group. So valid configuration will be like this:

ip access-list extended 123

131 permit object-group servers1_Ports object-group servers1 10.15.10.0 0.0.0.255

- without TCP and service object-group first

OR

ip access-list extended 123

131 permit tcp object-group servers1 eq 80 443 10.15.10.0 0.0.0.255

- with TCP, without service object-group and with ports explicitely configured

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card