Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX506 version 6.x - ACL with object-groups 1

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
0
0
IE
I'm pretty new to PIX and need to configure ACL on the firewall. I've created some object-groups (network) for each of the source and destination addresses. I've also created some object-groups (ports) for the ports we want to allow. I can configure the access-list if I just incluse the network obj-groups but when I try to incorporate the ports I run into trouble. What am I doing wrong? I have several groups as follows:
LAN_hosts (network)
POP_hosts (network)
POP_services (port)
Here's my ACL:
access-list 200 line 2 permit ip object-group LAN_hosts object-group POP_hosts eq object-group POP_services
But it doesn't work, because we're using version 6.x of course it just displays the same help screen every time (unlike v. 7 which will show you more detail on what to put in next). If I don't put in the eq object-group POP_services it works fine. So what is it I'm doing wrong?

I'd really appreciate any help anybody can give me.
 
Sort by date Sort by votes
I'm nowhere near a pix at the moment to check, but from memory I don't think you can "permit ip" for port based object groups. I suspect you need to create one object-group for your tcp ports, and a seperate one for your udp ports, and then use two access-list entries.

Eg,

access-list 200 permit tcp object-group LAN_hosts object-group POP_hosts eq object-group POP_services_TCP

access-list 200 permit udp object-group LAN_hosts object-group POP_hosts eq object-group POP_services_UDP


CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
 
Upvote 0 Downvote
Thanks for that - but now when I do access-list 200 line 2 permit tcp object-group LAN object-group POP_hosts eq object-group POP_services it says "invalid port object-group" so I think it's trying to read the word object-group as a port when I need to it to recognise that it's an object group. Any ideas why it won't do that?

Thanks for your help
 
Upvote 0 Downvote
Take out "eq".

access-list 200 line 2 permit tcp object-group LAN_hosts object-group POP_hosts object-group POP_services

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Sounds about right :)

CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
45
tklamb
tklamb
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
85
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
47
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top