Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Object Group ACL deny specific host

Status
Not open for further replies.

jslx

Programmer
Jan 26, 2010
2
US
I have an object group of hosts on the LAN:

object-group network uboxen
description work desktops
network-object host ubox1
network-object host ubox2
...

That I want to disallow access to all outbound traffic except to 1 host on the internet. All other hosts, I want to allow unrestricted access:

access-group 88 in interface inside
access-list 88 extended deny ip object-group uboxen any
access-list 88 extended permit ip any any

This works fine to restrict them, but when I try to add a
host to permit, the ASA doesn't like it.

Clear out my previous rules

# no access-list 88 extended deny ip object-group uboxen any
# no access-list 88 extended permit ip any any
#

Try to start a new list
# access-list 88 extended permit ip object-group uboxen host internethost$
ERROR: <88> element cannot be created

# access-list 88 extended deny ip object-group uboxen any
# access-list 88 extended permit ip any any


How do I make an exception for this one host for the object group and still deny all other internet traffic from these hosts?
 
you need to post this in the Cisco ASA forum

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top