We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 647 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

498 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Asi,

    You don’t have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:

    ASA# show run | incl access-list VIRL
    access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS

    The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:

    ASA# show access-list VIRL      
    access-list VIRL; 12 elements; name hash: 0xa226aadb
    access-list VIRL line 1 extended permit tcp any object VIRL ob
    ... Continue reading in our forum

  2. Hi Matt,

    I see what you mean. Normally the format of an extended access-list statement looks like this:

    So it kinda makes sense to use the service object group in the beginning since you specify the protocol with it. The big difference is that is also includes the port numbers which we normally end at the end of the statement.


  3. Hi Jeff,

    These can be difficult to read if you find them in the running configuration. If you use the show access-list command, you can see the exact statements that are in effect. For example:

    access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

    Looks like:

    ASA1(config)# show access-list Access_in
    access-list Access_in; 24 elements; name hash: 0x49ffabc6
    access-list Access_in line 1 extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log informational interval 300 (hitcn
    ... Continue reading in our forum

  4. Hi Rene,

    I have doubt in lesson of ASA. You said traffic from higher security level is allowed to go to lower security level but not from lower to higher security level.So how it could be possible for return traffic to flow that coming from lower to higher level?
    Please explain.

  5. Hi Rene

    this can also be done via ASDM?
    I work on Palo Alto FW and Netscreen adn I found using GUI is easier than CLI for me.

    Thank you

14 more replies! Ask a question or join the discussion by visiting our Community Forum