dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
498
donnib
join:2014-03-19

donnib

Member

Show matches on object_group ?

Hi,
When one runs “show access-list” it shows the matches on each ACL if the lines inside ACL are normal permit/deny lines, if i use a permit/deny line which looks up services in a object-group then it shows matches on total for that line but not for each service inside the object-group, is that even possible ? I can't seem to find a solution for that ?

/donnib
aryoba
MVM
join:2002-08-22

aryoba

MVM

I assume you are referring to ASA/PIX object-group command. With that in mind, you should be able to see matches when the object group is part of active access list.
donnib
join:2014-03-19

donnib

Member

@aryoba, yes i am running IOS 15.1M7. Ok then maybe i was just not patient enough to try it out to see if it worked.

Now that i have you In what order does this work i mean the object_group does not have line numbers as extended ACL lines have so is it random what it matches on ? Should one care of the order the lines are in a object_group ?
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by aryoba:

I assume you are referring to ASA/PIX object-group command.

said by donnib:

@aryoba, yes i am running IOS 15.1M7.

I don't think ASA/PIX firewall runs IOS 15.1 version

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by aryoba:

I don't think ASA/PIX firewall runs IOS 15.1 version

come on, aryoba See Profile -- object groups aren't just for asa/pix anymore.

»www.cisco.com/c/en/us/td ··· acl.html

q.
donnib
join:2014-03-19

donnib

Member

I was to quick to answer. I have a Cisco 1801 router.

Here is the output of the object_group and the ACL and as you can see i don't see the matches in the group only in the ACL so the question is can i do it somehow ?

show access-list
 
Extended IP access list trial
    10 permit object-group service_object any any (23 matches)
    20 permit ip any any log (1038 matches)
 
show object-group
 
Service object group service_object
 tcp eq 12002
 tcp eq 12345
 tcp eq 32760
 tcp eq 15555
 tcp eq 32000
 tcp eq 51706
 tcp eq 33333
 tcp eq 22222
 
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to donnib

MVM

to donnib
said by tubbynet:

said by aryoba:

I don't think ASA/PIX firewall runs IOS 15.1 version

come on, aryoba See Profile -- object groups aren't just for asa/pix anymore.

»www.cisco.com/c/en/us/td ··· acl.html

Silly rabbit, pix are for kids! [sorry, couldn't resist]

@donnib See Profile
That link that tubbynet See Profile is pretty much the goto guide for this, and other than
"show ip access-list" and "show object group" there's not much more. You could debug
on the ACL, but that'd generate a whole bunch of spam on the console / CLI line.

There MAY be further debug commands -- that's why '?' is your friend in CLI -- for object
groups, but I couldn't say for sure.

My 00000010bits

Regards