Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX506 version 6.x - ACL with object-groups 1

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
I'm pretty new to PIX and need to configure ACL on the firewall. I've created some object-groups (network) for each of the source and destination addresses. I've also created some object-groups (ports) for the ports we want to allow. I can configure the access-list if I just incluse the network obj-groups but when I try to incorporate the ports I run into trouble. What am I doing wrong? I have several groups as follows:
LAN_hosts (network)
POP_hosts (network)
POP_services (port)
Here's my ACL:
access-list 200 line 2 permit ip object-group LAN_hosts object-group POP_hosts eq object-group POP_services
But it doesn't work, because we're using version 6.x of course it just displays the same help screen every time (unlike v. 7 which will show you more detail on what to put in next). If I don't put in the eq object-group POP_services it works fine. So what is it I'm doing wrong?

I'd really appreciate any help anybody can give me.
 
Sort by date Sort by votes
I'm nowhere near a pix at the moment to check, but from memory I don't think you can "permit ip" for port based object groups. I suspect you need to create one object-group for your tcp ports, and a seperate one for your udp ports, and then use two access-list entries.

Eg,

access-list 200 permit tcp object-group LAN_hosts object-group POP_hosts eq object-group POP_services_TCP

access-list 200 permit udp object-group LAN_hosts object-group POP_hosts eq object-group POP_services_UDP


CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
 
Upvote 0 Downvote
Thanks for that - but now when I do access-list 200 line 2 permit tcp object-group LAN object-group POP_hosts eq object-group POP_services it says "invalid port object-group" so I think it's trying to read the word object-group as a port when I need to it to recognise that it's an object group. Any ideas why it won't do that?

Thanks for your help
 
Upvote 0 Downvote
Take out "eq".

access-list 200 line 2 permit tcp object-group LAN_hosts object-group POP_hosts object-group POP_services

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Sounds about right :)

CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
462
Sameer258
Sameer258
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
96
tklamb
tklamb
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
323
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
120
PauS0n
PauS0n
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
103
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top