I have an object group of hosts on the LAN:
object-group network uboxen
description work desktops
network-object host ubox1
network-object host ubox2
...
That I want to disallow access to all outbound traffic except to 1 host on the internet. All other hosts, I want to allow unrestricted access:
access-group 88 in interface inside
access-list 88 extended deny ip object-group uboxen any
access-list 88 extended permit ip any any
This works fine to restrict them, but when I try to add a
host to permit, the ASA doesn't like it.
Clear out my previous rules
# no access-list 88 extended deny ip object-group uboxen any
# no access-list 88 extended permit ip any any
#
Try to start a new list
# access-list 88 extended permit ip object-group uboxen host internethost$
ERROR: <88> element cannot be created
# access-list 88 extended deny ip object-group uboxen any
# access-list 88 extended permit ip any any
How do I make an exception for this one host for the object group and still deny all other internet traffic from these hosts?
object-group network uboxen
description work desktops
network-object host ubox1
network-object host ubox2
...
That I want to disallow access to all outbound traffic except to 1 host on the internet. All other hosts, I want to allow unrestricted access:
access-group 88 in interface inside
access-list 88 extended deny ip object-group uboxen any
access-list 88 extended permit ip any any
This works fine to restrict them, but when I try to add a
host to permit, the ASA doesn't like it.
Clear out my previous rules
# no access-list 88 extended deny ip object-group uboxen any
# no access-list 88 extended permit ip any any
#
Try to start a new list
# access-list 88 extended permit ip object-group uboxen host internethost$
ERROR: <88> element cannot be created
# access-list 88 extended deny ip object-group uboxen any
# access-list 88 extended permit ip any any
How do I make an exception for this one host for the object group and still deny all other internet traffic from these hosts?