Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
1
Helpful
9
Replies

ISR Object-Group ACL Not Working

stevenclark612
Level 1
Level 1

‎10-15-2023 07:05 AM

Please Help. Trying to apply this ACL to the outside interfaces for inbound traffic. When applied, both outside interfaces (ISP's) pass no traffic. 

 

object-group service SERVICE-PROTOCOL-PORT
description Ports to Allow
gre eq 50
gre eq 51
tcp eq 500
tcp eq 1701
tcp eq 4500
udp eq 500
udp eq 1701
udp eq 4500
udp eq 7351
tcp range 2195 2196
tcp eq 5223
tcp range 5228 5230
tcp eq 993
tcp eq 7734
tcp eq 7752
tcp range 60000 61000
tcp eq 3000
udp eq 3000
tcp eq 9000
udp eq 9000

object-group network NETWORK-IP-ADDRESS
description Host/Subnet
host 172.64.36.1
host 172.64.36.2
host 1.1.1.1

ip access-list extended OBJECT-GROUP-INBOUND
remark Inbound Policy
permit object-group SERVICE-PROTOCOL-PORT object-group NETWORK-IP-ADDRESS any


interface GigabitEthernet0/0/0
description ISP-001
ip access-group OBJECT-GROUP-INBOUND in
!
interface GigabitEthernet0/1/0
description ISP-002
ip access-group OBJECT-GROUP-INBOUND in

Labels:
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎10-15-2023 07:48 AM

The acl must be 

Allow any netowrk-object service-object 

If you want any host outside access server (network object) using specific port (service object)

0 Helpful

stevenclark612
Level 1
Level 1
In response to MHM Cisco World

‎10-15-2023 04:04 PM

So i had the object groups in wrong order on the acl

MHM Cisco World
VIP
VIP
In response to stevenclark612

‎10-15-2023 04:07 PM

Yes

0 Helpful

stevenclark612
Level 1
Level 1
In response to MHM Cisco World

‎10-16-2023 08:42 AM

When I tried in that order I got a error "object group type mismatch"

0 Helpful

MHM Cisco World
VIP
VIP
In response to stevenclark612

‎10-16-2023 08:45 AM

Can you share acl you use

0 Helpful

stevenclark612
Level 1
Level 1
In response to MHM Cisco World

‎10-16-2023 10:02 AM

 

User Access Verification

Username: sclark
Password:

ROUTER-001#terminal lenght 0
^
% Invalid input detected at '^' marker.

ROUTER-001#terminal lenthg 0
^
% Invalid input detected at '^' marker.

ROUTER-001#terminal lenght 0
^
Current configuration : 15157 bytes
!
! Last configuration change at 10:21:12 EDT Mon Oct 16 2023 by sclark
! NVRAM config last updated at 10:21:30 EDT Mon Oct 16 2023 by sclark
!
version 15.7
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname ROUTER-001
!
boot-start-marker
warm-reboot count 10 uptime 10
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_access local
aaa authorization auth-proxy default local
!
!
!
!
!
!
aaa session-id common
memory-size iomem 25
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.0.100.1
ip dhcp excluded-address 10.0.154.1
ip dhcp excluded-address 10.0.254.1
ip dhcp excluded-address 172.16.32.1
ip dhcp excluded-address 172.16.50.1
ip dhcp excluded-address 10.0.100.1 10.0.100.50
ip dhcp excluded-address 10.0.100.250 10.0.100.254
ip dhcp excluded-address 10.0.154.1 10.0.154.50
ip dhcp excluded-address 10.0.154.250 10.0.154.254
ip dhcp excluded-address 10.0.254.1 10.0.254.50
ip dhcp excluded-address 10.0.254.250 10.0.254.254
ip dhcp excluded-address 172.16.32.1 172.16.32.50
ip dhcp excluded-address 172.16.32.250 172.16.32.254
ip dhcp excluded-address 172.16.50.1 172.16.50.50
ip dhcp excluded-address 172.16.50.250 172.16.50.254
!
ip dhcp pool dot1Q-Native_VLAN-1
import all
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
dns-server 172.64.36.1 172.64.36.2
domain-name cgnc.us
!
ip dhcp pool VLAN-154
import all
network 10.0.154.0 255.255.255.0
default-router 10.0.154.1
dns-server 172.64.36.1 172.64.36.2
domain-name cgnc.us
!
ip dhcp pool VLAN-254
import all
network 10.0.254.0 255.255.255.0
default-router 10.0.254.1
dns-server 172.64.36.1 172.64.36.2
domain-name cgnc.us
!
ip dhcp pool WS-LENOVO
host 10.0.100.20 255.255.255.0
client-identifier 011c.a0b8.736a.91
domain-name cgnc.us
default-router 10.0.100.1
dns-server 172.64.36.1 172.64.36.2
client-name WS-LENOVO
!
ip dhcp pool CORE-SWITCH
host 10.0.100.254 255.255.255.0
client-identifier 0124.7e12.9681.f5
domain-name cgnc.us
default-router 10.0.100.1
dns-server 172.64.36.1 172.64.36.2
client-name CORE-SWITCH
!
ip dhcp pool PRINTER-1
host 10.0.154.40 255.255.255.0
client-identifier 012a.8023.fffe.0fdf.02
domain-name cgnc.us
dns-server 172.64.36.1 172.64.36.2
client-name CG-NPI0FDF02
default-router 10.0.154.1
!
ip dhcp pool PRINTER-2
host 10.0.154.41 255.255.255.0
client-identifier 0138.22e2.d45e.3c
domain-name cgnc.us
default-router 10.0.154.1
dns-server 172.64.36.1 172.64.36.2
client-name HPD45E3C
!
ip dhcp pool EDGE-SWITCH-1
host 10.0.100.251 255.255.255.0
client-identifier 019c.c9eb.3087.76
domain-name cgnc.us
default-router 10.0.100.1
dns-server 172.64.36.1 172.64.36.2
client-name EDGE-SWITCH-1
!
ip dhcp pool EDGE-SWITCH-2
host 10.0.100.252 255.255.255.0
client-identifier 019c.c9eb.d921.cc
domain-name cgnc.us
default-router 10.0.100.1
dns-server 172.64.36.1 172.64.36.2
client-name EDGE-SWITCH-2
!
ip dhcp pool EDGE-SWITCH-3
host 10.0.100.253 255.255.255.0
client-identifier 0178.acc0.7a96.60
domain-name cgnc.us
default-router 10.0.100.1
dns-server 172.64.36.1 172.64.36.2
client-name EDGE-SWITCH-3
!
ip dhcp pool AP-1
host 10.0.254.15 255.255.255.0
client-identifier 01e0.cbbc.b650.7b
domain-name cgnc.us
dns-server 172.64.36.1 172.64.36.2
client-name AP-1
default-router 10.0.254.1
!
ip dhcp pool AP-2
host 10.0.254.16 255.255.255.0
client-identifier 01e0.cbbc.b651.ee
domain-name cgnc.us
default-router 10.0.254.1
dns-server 172.64.36.1 172.64.36.2
client-name AP-2
!
ip dhcp pool AP-3
host 10.0.254.17 255.255.255.0
client-identifier 01e0.cbbc.b6e9.ba
domain-name cgnc.us
default-router 10.0.254.1
dns-server 172.64.36.1 172.64.36.2
client-name AP-3
!
ip dhcp pool AP-50
host 10.0.254.50 255.255.255.0
client-identifier 01e0.cbbc.b818.9b
domain-name cgnc.us
default-router 10.0.254.1
dns-server 172.64.36.1 172.64.36.2
client-name AP-50
!
ip dhcp pool AP-51
host 10.0.254.51 255.255.255.0
client-identifier 01ac.d31d.fcc0.41
domain-name cgnc.us
default-router 10.0.254.1
dns-server 172.64.36.1 172.64.36.2
client-name AP-51
!
!
!
no ip domain lookup
ip domain name cgnc.us
ip name-server 172.64.36.1
ip name-server 172.64.36.2
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
!
license udi pid C3900-SPE200/K9 sn FOC163552Y3
license boot module c3900e technology-package datak9
!
!
object-group network NETWORK-IP-ADDRESS
description Host/Subnet
host 172.64.36.1
host 172.64.36.2
host 1.1.1.1
host 129.6.15.32
host 129.6.15.26
host 129.6.15.27
host 129.6.15.28
host 64.62.142.12
209.206.48.0 255.255.240.0
216.157.128.0 255.255.240.0
158.115.128.0 255.255.224.0
17.0.0.0 255.0.0.0
!
object-group service SERVICE-PROTOCOL-PORT
description Ports to Allow
tcp eq 500
tcp eq 1701
tcp eq 4500
udp eq isakmp
udp eq 1701
udp eq non500-isakmp
udp eq 7351
tcp range 2195 2196
tcp eq 5223
tcp range 5228 5230
tcp eq 993
tcp eq 7734
tcp eq 7752
tcp range 60000 61000
tcp eq 3000
udp eq 3000
tcp eq 9000
udp eq 9000
icmp echo
icmp echo-reply
udp eq ntp
udp eq snmp
udp eq snmptrap
tcp eq domain
udp eq domain
tcp eq 8557
tcp eq 9002
tcp range 9998 9999
tcp eq 6970
udp range 16500 65000
tcp eq 19302
udp range 7076 7077
udp range 9078 9079
tcp eq 1935
tcp range 3478 3480
udp eq 3074
udp range 3478 3480
udp eq 88
tcp eq 3074
udp eq 3544
tcp eq 37
udp eq time
tcp eq 9443
udp eq 9443
tcp eq 11111
udp eq 11111
tcp eq 39500
udp eq 39500
!
username sclark password 0 Roscoe123!
!
redundancy
!
!
!
!
!
track 1 ip sla 20 reachability
!
!
class-map type inspect match-any WAN-TO-LAN-CLASS
description Allowed_Protocol_From_WAN-TO-LAN
match protocol echo
match protocol snmp
match protocol ntp
match protocol icmp
match access-group name SERVICE-PROTOCOL-PORT
match access-group name NETWORK-IP-ADDRESS
class-map type inspect match-any LAN-TO-WAN-CLASS
description Allowed_Protocol_From_LAN-TO-WAN
match protocol echo
match protocol snmp
match protocol ntp
match protocol icmp
match protocol snmptrap
match protocol http
match protocol https
match protocol isakmp
match protocol mgcp
match protocol pptp
match protocol rtsp
match protocol rdb-dbs-disp
match protocol sip-tls
match protocol skinny
match protocol dns
match protocol tcp
match protocol udp
match protocol appleqtc
match protocol netshow
match protocol realmedia
match protocol vdolive
match protocol citriximaclient
match protocol h323-nxg
match protocol ica
match protocol icabrowser
match protocol sms
match protocol msnmsgr
match protocol streamworks
match protocol stun
match protocol time
match protocol citrix
match protocol icq
match protocol irc
match protocol irc-serv
match protocol smtp
match protocol ftp
match protocol telnet
match protocol ssh
match protocol syslog
match protocol nfs
match protocol imap
match protocol tftp
match protocol hsrp
match protocol ident
match protocol nntp
match protocol ldaps
match protocol ms-sql
match protocol pop3
match protocol ldap
match protocol login
match protocol msexch-routing
match protocol mysql
match protocol oracle
match protocol router
match protocol sshell
match protocol timed
match protocol winmsgr
match access-group name SERVICE-PROTOCOL-PORT
match access-group name NETWORK-IP-ADDRESS
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
inspect
class class-default
drop log
!
zone security WAN
zone security LAN
zone security VPN
zone security DMZ
zone-pair security WAN-TO-LAN source WAN destination LAN
service-policy type inspect WAN-TO-LAN-POLICY
zone-pair security LAN-TO-WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1
description TRUNK-VLANS
no ip address
ip nat inside
ip virtual-reassembly in
no mop enabled
!
interface Port-channel1.1
description dot1Q-Native_VLAN-1
encapsulation dot1Q 1 native
ip address 10.0.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.154
description VLAN-154
encapsulation dot1Q 154
ip address 10.0.154.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.254
description VLAN-254
encapsulation dot1Q 254
ip address 10.0.254.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/1
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/2
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/3
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/0/0
description ISP-001
ip address dhcp hostname ROUTER-001
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex full
speed 1000
!
interface GigabitEthernet0/1/0
description ISP-002
ip address dhcp hostname ROUTER-001
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex full
speed 1000
!
!
router rip
version 2
network 10.0.0.0
network 172.0.0.0
no auto-summary
!
no ip forward-protocol nd
!
ip http server
ip http port 8080
no ip http secure-server
!
ip nat inside source list ACL-HOST-PORTS interface GigabitEthernet0/0/0 overload
ip nat inside source list OBJECT-GROUP-INBOUND interface GigabitEthernet0/0/0 overload
ip nat inside source route-map RM-NAT-ISP01 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map RM-NAT-ISP02 interface GigabitEthernet0/1/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 47.7.240.1 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1/0 192.168.1.1 253
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0/0 47.7.240.1
ip ssh time-out 60
ip ssh authentication-retries 4
ip ssh port 2001 rotary 1
ip ssh version 2
ip ssh pubkey-chain
username sclark
!
ip access-list standard ACL-DNAT
permit 10.0.100.0 0.0.0.255
permit 10.0.154.0 0.0.0.255
permit 10.0.254.0 0.0.0.255
permit 172.16.1.0 0.0.0.255
permit 172.16.32.0 0.0.0.255
!
ip access-list extended ACL-HOST-PORTS
permit icmp any any
permit tcp any any eq 500
permit tcp any eq 500 any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit tcp any any eq 1701
permit tcp any eq 1701 any
permit udp any any eq 1701
permit udp any eq 1701 any
permit tcp any any eq 4500
permit tcp any eq 4500 any
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit udp any any eq 7351
permit udp any eq 7351 any
permit tcp any any range 2195 2196
permit tcp any range 2195 2196 any
permit tcp any any eq 5223
permit tcp any eq 5223 any
permit tcp any any range 5228 5230
permit tcp any range 5228 5230 any
permit tcp any any eq 993
permit tcp any eq 993 any
permit tcp any any eq 7734
permit tcp any eq 7734 any
permit tcp any any eq 7752
permit tcp any eq 7752 any
permit tcp any any range 60000 61000
permit tcp any range 60000 61000 any
permit tcp any any eq 9000
permit tcp any eq 9000 any
permit udp any any eq 9000
permit udp any eq 9000 any
permit tcp any any eq 3000
permit tcp any eq 3000 any
permit udp any any eq 3000
permit udp any eq 3000 any
permit udp any any range 1024 65535
permit udp any range 1024 65535 any
permit tcp any any eq domain
permit udp any any eq domain
permit udp any eq domain any
permit tcp any eq 8557 any
permit tcp any any eq 9002
permit tcp any eq 9002 any
permit tcp any any range 9998 9999
permit tcp any range 9998 9999 any
permit tcp any any eq 6970
permit tcp any eq 6970 any
permit udp any any range 16500 65000
permit udp any range 16500 65000 any
permit tcp any any eq 19302
permit tcp any eq 19302 any
permit udp any any range 7076 7077
permit udp any range 7076 7077 any
permit udp any any range 9078 9079
permit udp any range 9078 9079 any
permit tcp any any eq 1935
permit tcp any eq 1935 any
permit tcp any any range 3078 3480
permit tcp any range 3078 3480 any
permit udp any any eq 3074
permit udp any any range 3478 3480
permit udp any range 3478 3480 any
permit udp any any eq 88
permit udp any eq 88 any
permit tcp any any eq 3074
permit tcp any eq 3074 any
permit udp any any eq 3544
permit udp any eq 3544 any
permit tcp any any eq 8557
permit tcp any eq domain any
permit udp any any eq 5353
permit udp any eq 5353 any
permit udp any any eq 8443
permit udp any eq 8443 any
permit tcp any any eq 37
permit tcp any eq 37 any
permit udp any any eq time
permit udp any eq time any
permit tcp any any eq 9443
permit tcp any eq 9443 any
permit udp any any eq 9443
permit udp any eq 9443 any
permit tcp any any eq 11111
permit tcp any eq 11111 any
permit udp any any eq 11111
permit udp any eq 11111 any
permit tcp any any eq 39500
permit tcp any eq 39500 any
permit udp any any eq 39500
permit udp any eq 39500 any
ip access-list extended OBJECT-GROUP-INBOUND
remark Inbound Object-Group Policy
permit object-group SERVICE-PROTOCOL-PORT object-group NETWORK-IP-ADDRESS any log-input
remark Inbound Object-Group Policy
!
ip sla 20
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
timeout 6000
frequency 10
ip sla schedule 20 life forever start-time now
logging trap notifications
logging host 10.0.100.20
ipv6 ioam timestamp
!
route-map RM-NAT-ISP02 permit 10
match ip address ACL-DNAT
match interface GigabitEthernet0/1/0
!
route-map RM-NAT-ISP01 permit 10
match ip address ACL-DNAT
match interface GigabitEthernet0/0/0
!
!
snmp-server view mib2 mib-2 included
snmp-server community public RO 50
snmp-server community private RW 50
access-list 50 permit 10.0.100.20
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
login authentication local_access
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password Rusty123!
login authentication local_access
transport input telnet
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 129.6.15.32
ntp server 129.6.15.26
ntp server 34.202.215.187
ntp server 129.6.15.27
ntp server 129.6.15.28
ntp server 10.0.100.20
ntp server 10.0.100.21
!
end

Preview file
16 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to stevenclark612

‎10-17-2023 08:32 AM - edited ‎10-17-2023 09:44 AM

you use this service for Server in LAN access from WAN ?
if Yes 
the config will be 
permit object-group SERVICE-PROTOCOL-PORT ANY object-group NETWORK-IP-ADDRESS log-input

and the action of policy must be pass not inspect 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to stevenclark612

‎10-16-2023 05:59 AM

Add establish part of the group and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-15-2023 07:51 AM

I believe you need to add established connection to work as expected from internally to external 

 permit protocol source [source-wildcarddestination [destination-wildcard] [option option-name] [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card