IOS - object-group service

Hello Guys,
my question is do below access-lists operate the same way? I am confused about source and destination ports in object-group based acl.
ip access-list extended 101
  deny tcp any any eq bgp
  deny tcp any eq bgp any
  deny tcp any any eq ftp
  deny tcp any eq ftp any
service object group services
tcp eq bgp
tcp eq ftp
ip access-list extended 101
  deny object-group service any any
Following question is if the purpose is to deny any traffic where source port is bgp (e.g. deny any eq bgp any), how it can be configured using object group service.
Thanks in advance
Regards

Hi,
Have you tried configuring it like this
object-group service GATEWAY-SERVICES
service-object tcp eq 88
service-object tcp eq 135
service-object tcp eq 445
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp eq 53
service-object udp eq 53
service-object tcp eq 389
service-object udp eq 389
service-object tcp eq 464
service-object udp eq 464
service-object tcp range 49152 65535
service-object udp eq 49152 65535
access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
- Jouni

Similar Messages

  • Implementing "object-group service"

    Running 8.2(3) on an ASA 5510
    I have created the two following object groups.
    object-group service gatewayTCP tcp
    port-object eq 88
    port-object eq 135
    port-object eq 445
    port-object eq ldaps
    port-object eq 3268
    port-object eq 3269
    object-group service gatewayTCP-UDP tcp-udp
    port-object eq domain
    port-object eq 389
    port-object eq 464
    port-object range 49152 65535
    I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly?
    access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP
    access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP
    Is this a bug with service object groups? Is there some place I need to enable this feature?

    Hi,
    Have you tried configuring it like this
    object-group service GATEWAY-SERVICES
    service-object tcp eq 88
    service-object tcp eq 135
    service-object tcp eq 445
    service-object tcp eq ldaps
    service-object tcp eq 3268
    service-object tcp eq 3269
    service-object tcp eq 53
    service-object udp eq 53
    service-object tcp eq 389
    service-object udp eq 389
    service-object tcp eq 464
    service-object udp eq 464
    service-object tcp range 49152 65535
    service-object udp eq 49152 65535
    access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
    I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
    - Jouni

  • SNAT to single host using object-group service

    Hi, I have a single host that I want to static nat a number of services to. I want to use service object groups to simplify commands. I guess the beginnig is:
    object-group service OG-SERVICES-INSIDE-MYSERVER
     service-object tcp destination eq ftp
     service-object tcp-udp destination eq www
     service-object tcp destination eq 1723
    object network NETWORK_OBJ_INSIDE-MYSERVER
     host 192.168.1.100
    How would the NAT configuration be?

    Hi Samuel,
    I think object NAT does not allow us to use service object-group. 
    In order to achieve your requirement we need to create network object per static nat per service.
    This is because there can be only one nat statement per network object.
    Hope this helps.
    Thanks,
    Rishabh

  • ASR IOS-XE and object groups

    We recently installed a pair of ASR1004 routers and were somewhat (unpleasantly) surprised to find that the "object-group network" and "object-group service" were not supported.  After doing some searches on the forums here I found this discussion:
    https://supportforums.cisco.com/message/3573041#3573041
    At that time (28 Feb 2012) it was mentioned that support for object-groups for ACLs were planned for 3.9S / Q1CY2013.  We're running 3.10S and still no object groups so I was just wondering if anyone has heard an updated estimate of when this feature will be added to IOS-XE?

    As the release notes state, this feature is implemented in 3.12S:
    http://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/asr1k_rn_rel_notes/asr1k_feats_important_notes_312s.html#pgfId-3452835

  • Access list with multiple object groups

    Hello Everyone,
    I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
    I am trying to use object-groups where ever i can.  Here is an example.
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.x.x.x 255.255.255.240
    network-object 10.x.x.x 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
    What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
    Thanks

    Hi,
    Seems to work on my test ASA
    Attached it to my current LAN interface.
    ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         WAN
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outbound_access in interface LAN
    access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
    object-group service obj_Meraki_outbound
    service-object tcp destination eq https
    service-object tcp destination eq www
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.255.240
    object-group network obj_Meraki_pub
    description: This group lists all hosts associated with Meraki.
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
    Additional Information:
    access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
    Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
    - Jouni

  • Migrate network object group members; risk

           We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

    John,
    if you feel that is risky, you can always go for plan B.
    - you can take closure look at the object groups and decide new object naming convention policy.
    - from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
    - you can see same services used in couple of rules with different service groups.
         - like object-group service WEB-PORTS tcp
                        port-object eq http
                        port-object eq https
                 object-group service APPLICATION-PORTS tcp
                        port-object eq http
                        port-object eq https
                   object-group service APPS-PORT tcp
                        port-object eq www
                        port-object eq https
    - you can replace all these different object-group with one object group. like WEB-PORTS.
    - same way you can do excercise for network group as well.
    hope this helps.
    JD...

  • CSM service-object groups.

    Hello,
    I have a question. I'd like to maintain an ehanced service object group. When I create a service-object, it splits the service-object
    into
    sobjname.tcp
    and then
    sobjname.udp
    But it doesn't tell you its going to do this until you deploy ( very annoying ).
    How can I create an enhanced service-object group with the protocol & port objects. I have both CSM 3.3. and 4.1.
    Also is there an UNDO command that I don't know about when modifying (cutting and pasting access rules around in CSM).?
    Thanks!
    -M-

    Hello Bobby,
    The object-groups look good,
    The way to use them will be with ACLs so config looks cleanear and smaller,
    Regards,
    Julio Carvajal

  • Response Group Service stops repeatedly.

    Hi,
    We have a 3 node Lync 2013 FE pool, running on Windows 2012 R2 Datacenter.
    The response group service on all nodes stops periodically at different times. Obviously once all the pool members have stopped this service the Response Groups no longer function. We see the following events in the logs that show the issue:
    Log Name:      Lync Server
    Source:        LS Application Server
    Date:          1/20/2015 4:07:06 AM
    Event ID:      32007
    Task Category: (1055)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxxxxx
    Description:
    The Application Host stopped due to an unhandled exception in the application.
    The Application Host received an unhandled exception while running application urn:application:RGS. Exception information: Exception: System.Reflection.TargetInvocationException
    > Message: Exception has been thrown by the target of an invocation.
    > StackTrace:    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
       at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
       at System.Delegate.DynamicInvokeImpl(Object[] args)
       at Microsoft.Rtc.ApplicationServerCore.EventQueueEntry.ExecutionContextRunCallback(Object state)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at Microsoft.Rtc.ApplicationServerCore.EventQueueEntry.InvokeEvent(Boolean executingSynchronously, EventSerializer serializer)
       at Microsoft.Rtc.ApplicationServerCore.EventSerializer.ProcessEvent(Boolean executingSynchronously, EventQueueEntry entry)
       at Microsoft.Rtc.ApplicationServerCore.EventSerializer.ProcessEvents(EventQueueEntry entry)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
       at System.Threading.ThreadPoolWorkQueue.Dispatch()
    > Source: mscorlib
    > HResult: -2146232828
    Inner Exception: System.NullReferenceException
    > Message: Object reference not set to an instance of an object.
    > StackTrace:    at Microsoft.Rtc.Acd.MatchMaking.CallHandler.StopQueueTimer()
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.RouteToAnotherQueue(QueueCallHandler currentQueue, QueueCallHandler newQueue)
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.RouteCallOnQueueTimeout(QueueCallHandler currentQueue)
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.OnStateTimerExpired()
       at Microsoft.Rtc.Acd.MatchMaking.AgentPresenceManager.OnTimerExpired(Object sender, TimerExpiredEventArgs args)
       at Microsoft.Rtc.Acd.MatchMaking.PresenceProvider.EventQueue.OnExecuteWorkItem(QueueWorkItem workItem)
    > Source: Microsoft.Rtc.Acd.MatchMaking
    > HResult: -2147467261
    Cause: Unhandled exception.
    Resolution:
    Check the events prior to this to resolve the unhandled exception. 
    Log Name:      Lync Server
    Source:        LS Application Server
    Date:          1/20/2015 4:07:06 AM
    Event ID:      32002
    Task Category: (1055)
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxxxxxxx
    Description:
    The Application Host has stopped an application.
    The Application Host has stopped application RTCRGS
    Log Name:      Lync Server
    Source:        LS Response Group Service
    Date:          1/20/2015 4:07:06 AM
    Event ID:      31207
    Task Category: (2001)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxxxxxxx
    Description:
    An unhandled exception was encountered in Response Group Service.
    Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.StopQueueTimer()
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.RouteToAnotherQueue(QueueCallHandler currentQueue, QueueCallHandler newQueue)
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.RouteCallOnQueueTimeout(QueueCallHandler currentQueue)
       at Microsoft.Rtc.Acd.MatchMaking.CallHandler.OnStateTimerExpired()
       at Microsoft.Rtc.Acd.MatchMaking.AgentPresenceManager.OnTimerExpired(Object sender, TimerExpiredEventArgs args)
       at Microsoft.Rtc.Acd.MatchMaking.PresenceProvider.EventQueue.OnExecuteWorkItem(QueueWorkItem workItem)
       --- End of inner exception stack trace ---
       at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
       at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
       at System.Delegate.DynamicInvokeImpl(Object[] args)
       at Microsoft.Rtc.ApplicationServerCore.EventQueueEntry.ExecutionContextRunCallback(Object state)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at Microsoft.Rtc.ApplicationServerCore.EventQueueEntry.InvokeEvent(Boolean executingSynchronously, EventSerializer serializer)
       at Microsoft.Rtc.ApplicationServerCore.EventSerializer.ProcessEvent(Boolean executingSynchronously, EventQueueEntry entry)
       at Microsoft.Rtc.ApplicationServerCore.EventSerializer.ProcessEvents(EventQueueEntry entry)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
       at System.Threading.ThreadPoolWorkQueue.Dispatch()
    Cause: Internal error in Response Group Service.
    Resolution:
    Restart the service.  If the problem persists contact product support.
    Log Name:      Application
    Source:        .NET Runtime
    Date:          1/20/2015 4:07:06 AM
    Event ID:      1026
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxxxxxxxxx
    Description:
    Application: OcsAppServerHost.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.Reflection.TargetInvocationException
    Stack:
       at Microsoft.Rtc.ApplicationServerCore.EventSerializer.ProcessEvents(Microsoft.Rtc.ApplicationServerCore.EventQueueEntry)
       at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
       at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
       at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
       at System.Threading.ThreadPoolWorkQueue.Dispatch()
    Log Name:      Application
    Source:        Application Error
    Date:          1/20/2015 4:07:07 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxxxxxxx
    Description:
    Faulting application name: OcsAppServerHost.exe, version: 5.0.8308.0, time stamp: 0x5050e359
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.16656, time stamp: 0x5318237f
    Exception code: 0xe0434352
    Fault offset: 0x00000000000043c8
    Faulting process id: 0x3cbc
    Faulting application start time: 0x01d033d48b291c99
    Faulting application path: C:\Program Files\Microsoft Lync Server 2013\Application Host\OcsAppServerHost.exe
    Faulting module path: C:\Windows\system32\KERNELBASE.dll
    Report Id: b4e25672-a083-11e4-80ce-005056b06583
    Faulting package full name: 
    Faulting package-relative application ID: 
    I initially though this may be due to AV scanning but this has been disproved. Please assist me with troubleshooting this issue.
    thanks
    Chris

    Hi,
    Please make sure CMS replication update to the latest status.
    Try to install the latest update for Lync Server and reboot the server.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • LS Response Group Service

    Wondered if anyone had seen this before , we're getting the following error on all our Lync 2013 Front Ends but we aren't seeing any impact at all
    Event 31149, LS Response Group Service
    Unhandled Exception occurred when the service was running on a thread pool used by the platform.
    Unhandled Exception: System.NullReferenceException - Object reference not set to an instance of an object.
    Inner Exception: ~
    Cause: Unhandled exception.
    Resolution:
    Restart to service
    Just to confirm restarting the service does not resolve this and the error comes in every 15 minutes.
    Thank you 

    Try to install the latest update for Lync Server and reboot the server.
    Lisa Zheng
    TechNet Community Support

  • ASA 5510 & Object-groups

    I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
    access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
    The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.
    Going off these posts:
    - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
    - http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html
    Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
    What am I doing wrong?
    Thanks in advance for any help.

    Hi Adam!
    You are doing it right, you are just missing on little keyword.
    The line should be as this:
    access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any
    or you could specify the subnetmask as:
    access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any
    Regards

  • Sample for Business Objects Web Services for Admin Tasks

    Hi,
    Anyone has any idea that where can I get a sample using Business Objects Web Services for Admin Tasks like:
    - How To Set Security Rights
    - How To Manage Categories
    - How To Manage User Accounts
    - How To Manage User Groups
    Thanks,
    Harshad

    Samples are available at:
    https://www.sdn.sap.com/irj/sdn/businessobjects?rid=/webcontent/uuid/e02e0a54-6471-2b10-c99c-d66e07fab102&startindex=21
    Check BOSAP notes and other samples page for more info.

  • Introducing broadcast hunt-group service for CME

    Hello,
    Due to popular demand I wrote this script for the purpose of ringing simultaneously more than one ephone without using shared lines. Like the broadcast hunt-group available for SIP phones, or in CCM.
    http://pbevila.fastmail.fm/public/bcast.tcl
    I haven't tested it completely, currently it works only when all the destinations are SCCP phones, although the objective is to allow mix and match of SCCP phones, SIP phones, pots DPs, etc.
    Please try it and send any feedback here.

    HI Paolo
    I'm attempting to take advantage of your broadcast script you have produced. I'm having a few problems not getting the calls to broadcast. At the moment I'm just playing around with it on a standalone CME with 4 stand 7941 phones. I have used the following config and also shown the output:
    application
    service bcast flash:bcast.tcl
    Jan 4 10:45:47.139: //-1//HIFS:/hifs_ifs_cb: hifs ifs file read succeeded. size=5571, url=flash:bcast.tcl
    Jan 4 10:45:47.139: //-1//HIFS:/hifs_free_idata: hifs_free_idata: 0x457E9518
    Jan 4 10:45:47.139: //-1//HIFS:/hifs_hold_idata: hifs_hold_idata: 0x457E9518
    param destinations 201,202
    Warning: parameter destinations has not been registered under bcast namespace
    I have then used:
    dial-peer voice 100 pots
    description broadcast hunt-group
    service bcast
    incoming called-number 555
    failing call flow:
    7941(1) - > 555 -> CME-> Broadcast (phone2,Phone3)
    When I try to dial 555 from one of the phones it just comes up with number unknown and fails to broadcast. I am also running with cme 3.3 but can upgrade if needed. Also I have no analogue lines just pure VOIP at the moment. I think its some thing to do with the dial-peer?

  • What object group a port is in?

    The following does not help:
    ASA# sho run object-g | in 1433
    port-object eq 1433
    service-object tcp eq 1433
    port-object eq 1433
    ASA# sho run object-g service | in 1433             
    port-object eq 1433
    service-object tcp eq 1433
    ASA# sho run object-g | be 1433       
    port-object eq 1433
    ASA# sho run object-g | grep 1433
    port-object eq 1433
    service-object tcp eq 1433
    port-object eq 1433

    Here's the command to find the object group name a port is in:
    ASAXXX# show run object-group | in object-group | time-exceeded
    object-group icmp-type ICMP_SVCS
    icmp-object time-exceeded
    Now you can find what else is in that object group:
    ASAXXX# sho run object-group id ICMP_SVCS      
    object-group icmp-type ICMP_SVCS
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object echo
    icmp-object time-exceeded
    icmp-object traceroute
    and the access-list that object group is being used in:
    ASAXXX# sho access-list | in ICMP_SVCS
    access-list Access_List_Name line 5 extended permit icmp object-group ABCD object-group WXYZ object-group ICMP_SVCS
    So if you know a port number, you can quickly find out what object group and what access list is allowing that port.

  • ASR 1002 ACL object-group for ZBFW

    Hey guys,
    Quick question. I just want to know if anyone has experience configuring object-groups for ACLs on the ASR 1002. I am trying to so this on ours to consolidate a large ACL we have. It only works if I specifically use the protocols within the configuration. If I add a service object-group to match my protocols it doesn't match. The same configuration works on a 2811 router.
    I have a TAC case open and Cisco is telling me that object-groups are not supported on the ASRs but I have a hard time believing them if the commands clearly exist.
    If anyone has experience in this please let me know.
    Thanks,
    Elton
    Sent from Cisco Technical Support iPhone App

    Elton,
    "Hi Joe,
    Support will start in 3.9S (Q1CY2013).  Thanks. 
    Cheers,
    /Mani"
    From:
    Ask The Expert: Introduction to Cisco ASR 1000 Series Aggregation Services Routers

  • HT1349 device object push service not available

    When I try to send pictures from my computer (Windows 7) by bluetooth to my iphone 4s I receive this message
    "Device Object Push Service Not Aailable"

    You cannot pair an iPad to a computer for anything other than Internet tethering.
    Android is not the same as iOS.

Maybe you are looking for

  • How to show error message on page #NOTIFICATION_MESSAGE#?

    Hi, Is it possible to show error message on a page, where apex substitutes #NOTIFICATION_MESSAGE# at page template, with a javascript call? My requirement is to report error messages which i get from ondemand process, these on-demand processes were c

  • Call A WS From PL/SQL

    Does anyone manged to call an asynch' WS from PL/SQL? I'm trying to call a bpel process and I get an error in the response, after the service was executed. thanks Riko

  • Safari randomly returns to home screen...

    My iPhone 3G, using os ver 4.0.2 (8A400), while browsing the internet will randomly return to the home screen. It doesn't matter if I am using AT&T 3G or at home using my US Robotics WiFi the problem will happen. And the timing varies... sometimes it

  • Trouble with tomcat 4.0.3

    i'm new to servlets and can't get tomcat 4.0.3 to work for the life of me. i was wondering it someone out there would be able to give me a hand. no matter how i've tried to add the JAVA_HOME variable, i keep getting this error when i try to run start

  • Bandwidth Issues on 1.5 ghz PB

    Hey, lately i've been notiving some internet issues with my PowerBook. When i try to do an audio chat in iChat, it says "Connecting" then shows "Insufficient Bandwidth". I can do this on my FW800 PowerMac, and the two computers both connect to the in