cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
190
Views
3
Helpful
3
Replies

Query on ACL in 9606 Platform

Madhu
Level 1
Level 1

I have reviewed the ACL on the Cisco 9606 platform, and it looks a bit different compared to other platforms.
I have a question: the service object group(LYNCAUDIOSHARING_PORTS) is placed first in the ACL statement — does it refer to the source or the destination? Please clarify and share any Cisco documentation regarding this.

I have gone through a few documents, but none clearly state whether the service object group relates to the source or destination.

10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new 

 

1 Accepted Solution

Accepted Solutions

Enes Simnica
Level 3
Level 3

@Madhu  hello. On Cisco platforms like the 9606, when you see an ACL line like:

10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new

the service object group (LYNCAUDIOSHARING_PORTSLYNCAUDIOSHARING_PORTS) refers to destination ports, not the source. This is standard behavior in Cisco ACLs, the format is always action > protocol/service > source > destination. So even though it comes first in the line, it's specifying the port(s) that the destination must match.

This can be confusing at first glance, especially since the syntax looks a bit different from standard ACLs, but the position of the service object group (right after permit) always indicates it's tied to the destination port. If u're unsure, Cisco's documentation on ACLs with object groups covers this, though not always explicitly. Here's a good starting point:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html 

Hope this helps G

 

-Enes

more Cisco?!
more Gym?!

View solution in original post

3 Replies 3

Enes Simnica
Level 3
Level 3

@Madhu  hello. On Cisco platforms like the 9606, when you see an ACL line like:

10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new

the service object group (LYNCAUDIOSHARING_PORTSLYNCAUDIOSHARING_PORTS) refers to destination ports, not the source. This is standard behavior in Cisco ACLs, the format is always action > protocol/service > source > destination. So even though it comes first in the line, it's specifying the port(s) that the destination must match.

This can be confusing at first glance, especially since the syntax looks a bit different from standard ACLs, but the position of the service object group (right after permit) always indicates it's tied to the destination port. If u're unsure, Cisco's documentation on ACLs with object groups covers this, though not always explicitly. Here's a good starting point:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html 

Hope this helps G

 

-Enes

more Cisco?!
more Gym?!

The object group for L4 port apply only for destiantion 

Also your ACL is wrong you need to add service object group immediately after ""permit/deny"" 

In such as 

Permit/deny <service object> <IP or object group source> <IP or onject group destiantion>

MHM