I'm encountering some unexpected behavior when trying to reference object-groups in an access-list on my Catalyst 4500.
Goal: Restrict a VLAN from accessing other privately addressed subnets (Internet access only), except for a local DNS server in another subnet
IOS-XE Version: 03.03.00.XO RELEASE SOFTWARE (fc2)
General Config:
object-group network subnet_privateClassA
10.0.0.0 255.0.0.0
!
object-group network subnet_privateClassB
172.16.0.0 255.240.0.0
!
object-group network subnet_privateClassC
192.168.0.0 255.255.0.0
!
object-group network subnet_rfc1918All
group-object subnet_privateClassA
group-object subnet_privateClassB
group-object subnet_privateClassC
!
!
...
interface Vlan70
ip address 10.10.70.254 255.255.255.0
ip access-group publicVlan_in in
!
The following access-list blocks access to private IP ranges, except for the desired DNS server (10.16.4.10), but also blocks access to public IPs. So, DNS is able resolve google.com, but pings fail.
ip access-list extended publicVlan_in
permit ip any host 10.32.4.10
deny ip any object-group subnet_rfc1918All ! (I've also tried just subnet_privateClassA)
permit ip any any
!
The next access list works exactly how I want – local DNS works and I can access the Internet:
ip access-list extended publicVlan_in
permit ip any host 10.32.4.10
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!
The problem seems to be the use of object-groups. What am I missing here?
Best Answer
At long last, an answer. I recently encountered another situation where I had to create access-lists that would benefit from object-group references. After trying several different things to work around the problem, I finally threw in the towel and contacted Cisco technical support (which I'm always loath to do).
After an initial careless and blatantly wrong attempt to answer my question, the Cisco technician came back with the following:
So, there you go - and it only took Cisco 6 days to come up with this answer (a record).