CISCO Access List Error

Hi ,

I inherited a cisco pix 515e and I am trying to add the following:

access-list OUTSIDE_access_in_1 extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive

I get an error stating: ERROR:<extended> not a valid permission

I defined google as name and I am not sure what I am doing wrong

Thank you for your help in advance
thomasm1948Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lruiz52Commented:
will you provide a sanitized config?
0
Pete LongTechnical ConsultantCommented:
Remove the word extended, it will be put back in by the OS,

Also what is 'Google' if its an object or an object group, it needs the ketwork object, or object-group before it.

Pete
0
thomasm1948Author Commented:
Google is a name associated to an IP address
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

thomasm1948Author Commented:
If I take out extended, I get the following error:

ERROR: extra command argument(s)
0
lruiz52Commented:
Try this;

access-list OUTSIDE_access_in_1 extended permit tcp Google 255.255.0.0 eq smtp interface OUTSIDE eq smtp inactive
0
thomasm1948Author Commented:
I get the following error::

ERROR:<extended> not a valid permission
0
lruiz52Commented:
posting a sanitized config would help.
0
thomasm1948Author Commented:
asafirewall# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security99
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asafirewall
domain-name asa
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.0 mgnt-network
name 64.18.0.0 Postini
name 64.140.206.217 MMS
name 172.16.1.4 Destiny
name 172.16.1.5 Mail
name 172.16.0.25 Main8e6Filter
name 172.16.0.19 Old8e6
name 172.17.0.2 Oracledb
name 172.16.1.3 Server3
name 172.16.1.22 madmacs
name 172.16.1.12 pcserver
name 12.47.12.130 DestintRDP2
name 12.107.106.100 DestinyRDP2
name 72.91.20.29 Verizon_GW
name 172.16.1.2 Server2
name 74.125.65.109 GMAIL_SMTP
name 74.125.113.109 GMAIL_SMTP2
name 74.125.45.109 Gmail_smtp3
name 74.125.47.109 Gmail_smtp4
name 74.125.0.0 Google
name 209.85.128.0 Google2
name 172.16.1.18 Montage
name 66.54.174.28 Montage_Web_Server
name 172.30.0.85 VARtek-Monitoring
name 172.17.0.4 server10
name 172.16.1.8 Terminal-Server
name 67.78.184.210 OutsideIP
object-group service tcp-udp tcp-udp
  port-object eq www
object-group service rdp tcp-udp
  description rdp
  port-object range 3389 3389
object-group service web tcp
  port-object eq www
  port-object eq https
  port-object range 3309 3309
  port-object eq ftp
object-group service web2 tcp
  port-object eq www
object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
  protocol-object udp
  protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
  protocol-object udp
  protocol-object tcp
object-group network DestinyRDPGRP
  description DestinyRDPGRP
  network-object host DestinyRDP2
  network-object host DestintRDP2
object-group service Email tcp
  description Email
  port-object eq https
  port-object eq imap4
  port-object eq pop3
object-group service Web_Server tcp
  description Web_Server
  port-object eq 8080
  port-object eq 8170
  port-object eq 8171
  port-object eq 8181
  port-object eq www
object-group service Games tcp
  description Games
  port-object eq 1119
  port-object eq 3724
  port-object eq 4000
  port-object range 6112 6119
  port-object range 6881 6999
  port-object range 2300 2400
  port-object eq 47624
  port-object eq 28960
  port-object eq 3074
  port-object range 28000 28020
  port-object eq 3723
  port-object range 43594 43595
  port-object eq 5121
object-group service Games2 udp
  description Games2
  port-object range 6112 6119
  port-object range 2300 2400
  port-object eq 47624
  port-object eq 28500
  port-object eq 28510
  port-object eq 28960
  port-object range 3074 3075
  port-object range 3478 3479
  port-object range 28000 28020
  port-object eq 14567
  port-object eq 3723
object-group network SMTP_Gmail
  description SMTP_Gmail
  network-object host GMAIL_SMTP2
  network-object host Gmail_smtp3
  network-object host GMAIL_SMTP
  network-object host Gmail_smtp4
object-group service Gmailsmtp tcp
  description Gmailsmtp
  port-object eq 993
  port-object eq smtp
object-group service transmission tcp-udp
  port-object eq 64330
object-group service ARD tcp-udp
  description ARD
  port-object range 5900 5901
object-group network DM_INLINE_NETWORK_1
  network-object 172.16.1.0 255.255.255.0
  network-object 172.17.0.0 255.255.0.0
  network-object mgnt-network 255.255.255.0
  network-object 172.18.0.0 255.255.0.0
object-group service TCP-8181 tcp
  description TCP-8181
  port-object eq 8181
object-group service RDP tcp
  description Remote Desktop
  port-object eq 3389
access-list PERMIT_IN deny ip any any
access-list inside_outbound_nat0_acl permit ip any 172.16.0.0 255.255.0.0
access-list outside_access_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside OutsideIP 255.255.255.252
ip address inside 172.16.0.24 255.255.0.0
ip address DMZ 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNinbound 192.168.0.80-192.168.0.85
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.78.184.209 1
route inside 172.17.0.0 255.255.0.0 172.16.0.1 1
route inside 172.18.0.0 255.255.0.0 172.16.0.1 1
route inside 172.19.3.0 255.255.255.0 172.16.0.1 1
route inside 172.20.0.0 255.255.0.0 172.16.0.1 1
route inside 172.21.0.0 255.255.0.0 172.16.0.1 1
route inside 172.22.0.0 255.255.255.0 172.16.0.1 1
route inside 192.168.0.0 255.255.0.0 192.168.0.59 1
route inside 192.168.0.4 255.255.255.255 192.168.0.59 1
route inside 192.168.110.0 255.255.255.0 192.168.0.59 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.21 C:/TFTP-Root
floodguard enable
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 10
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcprelay server Server3 inside
dhcprelay server Server2 inside
terminal width 80
0
lruiz52Commented:
looks like your missing access group for "outside_access_in_1"

access-group outside_access_in_1 in interface outside

or

access-list OUTSIDE_access_in extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thomasm1948Author Commented:
The issue is that I cannot add:

access-list OUTSIDE_access_in extended permit tcp Google 255.255.0.0 interface OUTSIDE eq smtp inactive

I get an error stating: ERROR:<extended> not a valid permission

I took out the _1 after the name just in case that could the issue.  I have been trying everything
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.