I think this is what you mean.... The ACL needs to be configured as such:
access-list NAME permit|deny (service object-group if protocols are included in it or Protocol object-group) (network object-group with sources) (network object-group with destinations) (service object-group) Is that what you're looking for? Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com Platinum Solutions Group (PSG) provides high-end consulting services with a primary emphasis on Cisco's Data Center Solutions, Service Provider Solutions, Unified Communications and Security-enabled infrastructures. Be sure to visit www.platinumsolutionsgroup.com. On Apr 25, 2010, at 8:28 AM, Johan Bornman wrote: > Brandon, > > My question is about if more than only the 1 object-group is configured. In > the referenced lab there are 3 object-groups. Does the order or sequence of > the object-groups matter in the ACL? > > Thanks > > Johan > > From: Brandon Carroll [mailto:[email protected]] > Sent: 23 April 2010 05:56 PM > To: Johan Bornman > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] Lab 1, Task 1.8 > > Johan, > > I would have recommended the links that Mohamed did as well. Basically it > comes down to the order that you entered them in. See the output below. > > > First I created a network object-group: > > ciscoasa(config)# object-g net NETS > > Then I added 5 hosts. Notice the order: > > ciscoasa(config-network)# network-object host 10.1.1.1 > ciscoasa(config-network)# network-object host 10.1.1.2 > ciscoasa(config-network)# network-object host 10.1.1.3 > ciscoasa(config-network)# network-object host 10.1.1.4 > ciscoasa(config-network)# network-object host 10.1.1.5 > ciscoasa(config-network)# ex > > Then I added the object-group to an ACL entry: > > ciscoasa(config)# access-l OBJTEST permit ip obj NETS any > > And finally when you show access-list you can see that the expanded entries > coincide with the order of entry for the object group. > > ciscoasa(config)# sh access-l > access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) > alert-interval 300 > access-list OBJTEST; 5 elements; name hash: 0x91a70a61 > access-list OBJTEST line 1 extended permit ip object-group NETS any > 0xd35b6723 > access-list OBJTEST line 1 extended permit ip host 10.1.1.1 any (hitcnt=0) > 0x6dbb635b > access-list OBJTEST line 1 extended permit ip host 10.1.1.2 any (hitcnt=0) > 0xdc67b49b > access-list OBJTEST line 1 extended permit ip host 10.1.1.3 any (hitcnt=0) > 0x1889b285 > access-list OBJTEST line 1 extended permit ip host 10.1.1.4 any (hitcnt=0) > 0xf71d9161 > access-list OBJTEST line 1 extended permit ip host 10.1.1.5 any (hitcnt=0) > 0x7b7029e2 > ciscoasa(config)# > > > Hope that helps. > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > > > On Apr 22, 2010, at 8:31 PM, Johan Bornman wrote: > > > Hi, > > I am having difficulty finding a good cisco doc about object groups. My > question is about the acl. Is there any logic to the sequence/position of the > object groups applied in the acl? > > Thanks > > Johan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
