07-21-2025 01:06 AM
I have reviewed the ACL on the Cisco 9606 platform, and it looks a bit different compared to other platforms.
I have a question: the service object group(LYNCAUDIOSHARING_PORTS) is placed first in the ACL statement — does it refer to the source or the destination? Please clarify and share any Cisco documentation regarding this.
I have gone through a few documents, but none clearly state whether the service object group relates to the source or destination.
10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new
Solved! Go to Solution.
07-21-2025 01:10 AM - edited 07-21-2025 01:12 AM
@Madhu hello. On Cisco platforms like the 9606, when you see an ACL line like:
10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new
the service object group (LYNCAUDIOSHARING_PORTSLYNCAUDIOSHARING_PORTS) refers to destination ports, not the source. This is standard behavior in Cisco ACLs, the format is always action > protocol/service > source > destination. So even though it comes first in the line, it's specifying the port(s) that the destination must match.
This can be confusing at first glance, especially since the syntax looks a bit different from standard ACLs, but the position of the service object group (right after permit) always indicates it's tied to the destination port. If u're unsure, Cisco's documentation on ACLs with object groups covers this, though not always explicitly. Here's a good starting point:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Hope this helps G
-Enes
07-21-2025 01:10 AM - edited 07-21-2025 01:12 AM
@Madhu hello. On Cisco platforms like the 9606, when you see an ACL line like:
10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new
the service object group (LYNCAUDIOSHARING_PORTSLYNCAUDIOSHARING_PORTS) refers to destination ports, not the source. This is standard behavior in Cisco ACLs, the format is always action > protocol/service > source > destination. So even though it comes first in the line, it's specifying the port(s) that the destination must match.
This can be confusing at first glance, especially since the syntax looks a bit different from standard ACLs, but the position of the service object group (right after permit) always indicates it's tied to the destination port. If u're unsure, Cisco's documentation on ACLs with object groups covers this, though not always explicitly. Here's a good starting point:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Hope this helps G
-Enes
07-21-2025 01:17 AM
also G:
07-21-2025 01:24 AM - edited 07-21-2025 01:25 AM
The object group for L4 port apply only for destiantion
Also your ACL is wrong you need to add service object group immediately after ""permit/deny""
In such as
Permit/deny <service object> <IP or object group source> <IP or onject group destiantion>
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide