Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
2
Replies

ASA 5510 & Object-groups

Go to solution
Adam Hudson
Level 1
Level 1

‎05-10-2012 01:53 PM - edited ‎03-11-2019 04:05 PM

I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:

access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any

The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.

Going off these posts:

- http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

- http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html

Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.

What am I doing wrong?

Thanks in advance for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kampmalm2
Level 1
Level 1

‎05-10-2012 11:33 PM

Hi Adam!

You are doing it right, you are just missing on little keyword.

The line should be as this:

access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any

or you could specify the subnetmask as:

access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any

Regards

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kampmalm2
Level 1
Level 1

‎05-10-2012 11:33 PM

Hi Adam!

You are doing it right, you are just missing on little keyword.

The line should be as this:

access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any

or you could specify the subnetmask as:

access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any

Regards

0 Helpful

Go to solution
Adam Hudson
Level 1
Level 1
In response to kampmalm2

‎05-17-2012 12:14 PM

That was simple, thanks for another pair of eyes to take a look at it!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card