Yes!
Thanks! From: Brandon Carroll [mailto:[email protected]] Sent: 25 April 2010 05:47 PM To: Johan Bornman Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Lab 1, Task 1.8 I think this is what you mean.... The ACL needs to be configured as such: access-list NAME permit|deny (service object-group if protocols are included in it or Protocol object-group) (network object-group with sources) (network object-group with destinations) (service object-group) Is that what you're looking for? Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com Platinum Solutions Group (PSG) provides high-end consulting services with a primary emphasis on Cisco's Data Center Solutions, Service Provider Solutions, Unified Communications and Security-enabled infrastructures. Be sure to visit www.platinumsolutionsgroup.com <http://www.platinumsolutionsgroup.com/> . On Apr 25, 2010, at 8:28 AM, Johan Bornman wrote: Brandon, My question is about if more than only the 1 object-group is configured. In the referenced lab there are 3 object-groups. Does the order or sequence of the object-groups matter in the ACL? Thanks Johan From: Brandon Carroll [mailto:[email protected]] Sent: 23 April 2010 05:56 PM To: Johan Bornman Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Lab 1, Task 1.8 Johan, I would have recommended the links that Mohamed did as well. Basically it comes down to the order that you entered them in. See the output below. First I created a network object-group: ciscoasa(config)# object-g net NETS Then I added 5 hosts. Notice the order: ciscoasa(config-network)# network-object host 10.1.1.1 ciscoasa(config-network)# network-object host 10.1.1.2 ciscoasa(config-network)# network-object host 10.1.1.3 ciscoasa(config-network)# network-object host 10.1.1.4 ciscoasa(config-network)# network-object host 10.1.1.5 ciscoasa(config-network)# ex Then I added the object-group to an ACL entry: ciscoasa(config)# access-l OBJTEST permit ip obj NETS any And finally when you show access-list you can see that the expanded entries coincide with the order of entry for the object group. ciscoasa(config)# sh access-l access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list OBJTEST; 5 elements; name hash: 0x91a70a61 access-list OBJTEST line 1 extended permit ip object-group NETS any 0xd35b6723 access-list OBJTEST line 1 extended permit ip host 10.1.1.1 any (hitcnt=0) 0x6dbb635b access-list OBJTEST line 1 extended permit ip host 10.1.1.2 any (hitcnt=0) 0xdc67b49b access-list OBJTEST line 1 extended permit ip host 10.1.1.3 any (hitcnt=0) 0x1889b285 access-list OBJTEST line 1 extended permit ip host 10.1.1.4 any (hitcnt=0) 0xf71d9161 access-list OBJTEST line 1 extended permit ip host 10.1.1.5 any (hitcnt=0) 0x7b7029e2 ciscoasa(config)# Hope that helps. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 22, 2010, at 8:31 PM, Johan Bornman wrote: Hi, I am having difficulty finding a good cisco doc about object groups. My question is about the acl. Is there any logic to the sequence/position of the object groups applied in the acl? Thanks Johan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
