Ipsec - object group
Hello and thank you in advance
I have a ipsec tunnel setup with the use of object groups. This ipsec tunnel is active and in production. If I need to add one more IP to that object group will I need to do anything for it to take effect or that will be done automatically?
Sorry for a stupid question.
If you need to add one more IP to the object group for the crypto ACL, you would need to add the same on the remote VPN peer as crypto ACL needs to mirror image between the 2 sites.
Once changes has been done, you would need to clear the tunnel as the SA for the new IP will only be built during the negotiation.
Similar Messages
-
Implementing "object-group service"
Running 8.2(3) on an ASA 5510
I have created the two following object groups.
object-group service gatewayTCP tcp
port-object eq 88
port-object eq 135
port-object eq 445
port-object eq ldaps
port-object eq 3268
port-object eq 3269
object-group service gatewayTCP-UDP tcp-udp
port-object eq domain
port-object eq 389
port-object eq 464
port-object range 49152 65535
I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly?
access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP
access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP
Is this a bug with service object groups? Is there some place I need to enable this feature?Hi,
Have you tried configuring it like this
object-group service GATEWAY-SERVICES
service-object tcp eq 88
service-object tcp eq 135
service-object tcp eq 445
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp eq 53
service-object udp eq 53
service-object tcp eq 389
service-object udp eq 389
service-object tcp eq 464
service-object udp eq 464
service-object tcp range 49152 65535
service-object udp eq 49152 65535
access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
- Jouni -
Object-group with network-object containing an IP address range
Hello,
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly. Thank you.
-JohnHello,
Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:
192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.
With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".
To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.
Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:
access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4
access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
Packet trace results in allowing the "range" of IP address:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmztest
output-status: up
output-line-status: up
Action: allow
Now with the "correct" configuration:
access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd
access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmztest
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thank you.
-John -
Subclass webutil object group problem
Hi,
I am using 10g form.
I download the webutil demo and got a form called WU_TEST_106 in which there is
a object group called WEBUTIL.
Then I create a new form and drag the object group WEBUTIL of the form
WU_TEST_106 to the object group of the new form and choose 'subclass'.
When I check the content of the WEBUTIL data block in the new form, there
is no items there.
There should be some bean area such as WEBUTIL_FILE_FUNCTIONS and
WEBUTIL_HOST_FUNCTIONS etc.
Anyone can help ?
IvanDo not subclass WEBUTIL from another form. In folder <DevSuiteHome>\forms there should exist file webutil.olb. Open this file directly in Form Builder using
File | Open
and subclass the objects contained within.
Eric Adamson
Lansing, Michigan -
ORA-23326: object group "PUBLIC","REPG" is quiesced
I am using Oracle 9i Enterprise Manager.
I have two servers with databases isb.city and rwp.rawat. I completed the whole process of Multimaster Replication. I am working on the SCOTT schema as test. Right now I am working on LAN.
Two servers are connected with each other. I am facing two problems:
1) When I try following command, it shows no rows on both servers:
SQL>SELECT DBLINK FROM DBA_REPSITES WHERE GNAME = 'repg';
no rows selected
2) When I try to insert data in the tables, it doesn't allow it and give following:
ORA-23326: object group "PUBLIC","REPG" is quiesced
I already made changes in init.ora and changed spfile file as well accordingly.
What is wrong with my setup?Try this:
1. SELECT DBLINK FROM DBA_REPSITES WHERE GNAME = 'REPG';
2. You should change init.ora or spfile (database is using one of them):
show parameter pfile will show you if you are using spfile or not
execute RESUME_MASTER_ACTIVITY to unquisce replication group
Best Regards
Krystian Zieja / mob -
Is it possible to nest object groups in froms?
Title says it all, but to explain further - I'd like to create some object groups and the objects I'd like to include within these groups are themselves objects groups.
Is that possible?No - But you could subclass an object group and then add extra children to it.
-
I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.
Going off these posts:
- http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
- http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html
Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
What am I doing wrong?
Thanks in advance for any help.Hi Adam!
You are doing it right, you are just missing on little keyword.
The line should be as this:
access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any
or you could specify the subnetmask as:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any
Regards -
CSCut57898 - C897 ACL object-group leak/miss for BGP tcp 179 / causing deny
We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration. -
Object-groups created with the CLI don't appear in the ANM Config>Devices>Security>Object Groups as they should and ACLs using these groups are displayed incorrectly. SYNC and upgrading to ANM v2.1 hasn't resolved the issue. Object-groups created with ANM don't have this problem. Is this a bug or is there some other way to import/sync the config to ANM?
Hello,
No, haven't heard a thing yet. I have learned a bit more though about the symptoms. Some contexts aren't affected by the bug at all. The ACL using the group and the group itself was imported and is displayed correctly by ANM. But they only have a couple of simple object groups and a single line ACL referencing the groups, while the broken contexts have many large object groups and large ACLs. So, maybe it's related to size or complexity.
I plan to open a TAC Case when I get a minute. I use the CLI to build the contexts and don't use the GUI much, but other people who maintain the servers do. -
I am using the forms 6i. And i have a problem with attach Object Group.
After attach, the form do not execute.
I have a question: What the values the Object Group utility on the registry?
Or if another sugestion...
Thanks, so much.
Martônio.1. Did you copy the object group to the new module or subclassed it?
R- Subclass.
2. Did you compile your form module after doing copy/subclass of the object group?
R- Yes.
3. Did you get any compilation error/warning?
R-No. Because the form close before display.
4. Is the base object group is from a form or a object library?
R-Object Library.
5. Is the base form / object library in which the object group exists is there in the FORMS60_PATH?
R-Yes.
Thanks. So much....
Martônio. -
Subclass / Object Group / Object Library error?
Forms [32 Bit] Version 10.1.2.0.2 (Production)
I am experiencing a strange problem with classes, object groups and object libraries - I have tried all sorts of combinations, but I always get the same problem.
1. Create a form
2. Creat a property class - PC1 and add a when-button-pressed trigger that does 'null'
3. Create another property class PC2 that subclasses PC1 - note that the trigger is inherited correctly and the Triger Text shows the inheritance arrow in the property sheet.
4. Create an object group in the form - OBJ1 - and add these two classes.
5. Create a new obejct library and copy the OBJ1 object group.
It is at this point that things go wrong! If you now look back at the PC2 class - the inheritance chain of the trigger code has now been broken?
Well - it ALWAYS is my system - I have tried all sorts of combinations - including changing paths, forms_path, registry etc. etc. but I am coming to the conclusion that it is a bug?
Can anyone confirm that they experience the same problem?
Regards,
BrenThanks Gerd!
I have tried on 10g on several machines (some identical) and some with different paths (FORMS_PATH etc.) - but I always get the inherited trigger code disassociated.
Also - and slightly strange, before I copy the object group, the properites of the trigger are perfect and the trigger code shows the inherited arrow. Directly after copying the object group, the trigger code property sheet has the un-inherited red cross, but, if I close the Form, I am not prompted to save the changes? So it's like Forms is making the change, but not internally marking the form as being changed.
Let me know how you get on with 10g - and thanks for your input!
Regards,
Bren -
Breaking Subclass/Removing Object Group/Without loss of code for child form
Hi all..
This is regarding Forms 10g (breaking inheritance)
I have a base form as well as client form.
The child form is having some properties as common to the base form. so child form is having sub class(inheritance) from the base class with the help of Object Group. This is the exiting setup
Now, client wants the same information as child form with out link with base form.
i.e., they want to remove the Object Group with out distrubing the child form.
Finally, they want the child form as independant from base form. i.e., child form should not have inheritance from the base form and at the same time they don't want to loss of any code to the child form.
There are 1000's of forms like that are need to re-work.
Is there any tool/script available to do this process of work automatically.
Please provide the necessary deatils and help me regarding this.
Regards
MadhavaYou CAN add new items to the subclassed block or change triggers code or even add new triggers. Form Builder won't let you create items in-between existing subclassed items or triggers. So if you need to create a new item, create at the end of subclassed item or trigger...
You can not DELETE items of subclassed block or the block itself if it is subclassed. But you can remove the subclassed object from your child module --- by removing class info from the object group in child module --- but it will also remove all the subclassed child objects.
If you delete or change anything in master object, it will directly affect the subclassed object and you can see the change immediatly in the child modules.
When you drag the master object to child, it asks you if you need to subclass or copy, selecting copy will create a separate copy which you can play with in the child module.
And below is brief help on the matter:
If you don't want all the objects in the subclassed object group, then you might consider either subclassing the desired objects individually, or creating an object group which contains only the desired objects.
Edited by: Zaafran Ahmed on Oct 13, 2010 12:41 PM -
Attaching the WebUtil object group to a form
Hi. I'm hoping for some help on how to attach the WebUtil object group to a form. I go to the Object Groups node in the object navigator and click the '+' button, but I'm not prompted to attach .olb files. How do I do this? Without it attached I'm receiving the message "The WebUtil object group is not available in this form. WebUtil cannot work." when I run my application. Thanks in advance.
Okay I opened the .obl and it appears under the Object Libraries Node. Then I double-click on the Object Groups node in my form and it simply creates a new object named OBJECT_GROUP100. I can't seem to drag and drop from the Libraries Node to the Object Groups node in my form. It just shows a circle with a line through it indicating that I can't drag it. Any suggestions? (Sorry, I've not done this before).
-
Added webutil object group with JDAPI - adjust the webutil block sequence ?
Hi all,
I'm using the JDAPI to subclass in the webutil object group into Forms in an application. Annoyingly, the webutil block becomes the first block on the Form - which means on some Forms it displays on startup. Is there anyway (programmatically using JDAPI) that I can move the block the end of the block list after I've subclassed in the object group ?
TIA
SteveHello,
move
void move(JdapiObject nextObject)
Reorders an object with respect to its siblings in the collection it belongs to. This is similar to using drag and drop in Form Builder to move a block in a list. This method represents a way to do the same thing programmatically. For example, if you want a block appear immediately before Block5 in a list, you pass the object representing Block5 as the nextObject argument.
Pass null to this method to move the object to the end of the list. If the specified object and the next_object do not share the same owner, or do not have the same type, the method throws an exception.
You cannot use this method to move objects between parents. For example, it cannot be used to move an Item from one Block to another. If you want to move an object from one parent to another you will have to do something like:
// to move 'itmA' to be positioned before 'itmB' in block
// 'blkB' (when 'itmA' is in another block)
// copy itmA into a new parent (blkB) using same name
Item newItmA = itmA.clone(blkB, itmA.getName());
newItmA.move(itmB); // move new item relative to itmB
itmA.destroy(); // delete original object
itmA = newItmA;
Parameters:
nextObject - the object next to which the specified object is to be moved.
Throws:
JdapiException - if you attempt to move an object next to an object that does not share the same owner or is not of the same type.
Francois -
Access list with multiple object groups
Hello Everyone,
I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
I am trying to use object-groups where ever i can. Here is an example.
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.
ThanksHi,
Seems to work on my test ASA
Attached it to my current LAN interface.
ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound_access in interface LAN
access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
object-group service obj_Meraki_outbound
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.255.240
object-group network obj_Meraki_pub
description: This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
Additional Information:
access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
- Jouni
Maybe you are looking for
-
System Configurator is not working for R&A repository upgrade
Hello All, Can someone give us some direction on this ? We are attempting to configure R&A database using upgrade from 9.3.3 option and providing the database connection details. On the next screen, the path of the RM directory provided is a unc path
-
a week ago firefox suddenly stopped loading pages unless refreshed several times but loads in other browsers, not an issue of firewall malware or ipv6 I've tried all that I uninstalled and reinstalled also. I also tried disabling my addons.
-
Create a Procedure that will accept a variable
Hi, I'm new to pl/sql and I'm trying to create a procedure that will accept a variable. I want to use this sql to create restore points that can store the name of each batch job as it runs. The code works fine on it's own, but if I try to create the
-
Substitution rule created, NO transport request generated automatically?
Hello Everyone..Good day! Have searched the PS forum, but in vain .. Can anyone suggest why system is not automatically creating a transport request for new substitutions created in IMG as I need to transfer the same to other systems thru transport
-
Oil Paint Filter Doesn't Turn Out
I'm using the oil paint filter and for some reason it doesn't turn out when I use it. It doesn't seem to be an issue for very very small sized images, if I make the photo smaller it will work just fine. However, for any regular sized images I get thi