Resquence ports in Pix service object-group?

Answered Question
Apr 4th, 2008

Say I have..

object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

..and a few days later I configure

conf t

object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

the result is

object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

port-object eq 4000

port-object eq 6100

Is there any way to resequence the object so it would appear like this in the config?

object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800

I have this problem too.
0 votes
Correct Answer by cisco24x7 about 8 years 9 months ago

This solution is a very simple one:

Original:

object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log

Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:

object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

what you will do is this:

1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

2- put this group-object inside test group:

object-group service test tcp

group-object temp

3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp

You will NOT disrupt any live traffics and

achieving your requirements.

This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.

CCIE Security

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Fri, 04/04/2008 - 18:18

Yes you can.

object-group service PORT-Web-App tcp

no port-object eq 6400

no port-object eq 6500

no port-object eq 8800

no port-object eq 4000

no port-object eq 6100

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800

HTH

Rgds

Jorge

mmedwid Fri, 04/04/2008 - 18:26

Well fair enough. Guess I have to be more specific. :-) Removing ports temporarily would run the risk of interrupting conversations passing through the device. Is there any non-destructive way to sequence the service object group?

JORGE RODRIGUEZ Fri, 04/04/2008 - 18:52

You may have to plan a change , the esiest way is to simply from a notepad text editor prepare the script copy and past it in firewall, I see no other way to no cause seconds disruption, if say you create another new object-group with proper sequencing you still will need to change the access lists mapped to old object-group to new object-group thus causing also disruption not to mention how many access-lists are using the old object-group.

Rgds

Jorge

Correct Answer
cisco24x7 Fri, 04/04/2008 - 20:27

This solution is a very simple one:

Original:

object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log

Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:

object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

what you will do is this:

1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

2- put this group-object inside test group:

object-group service test tcp

group-object temp

3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp

You will NOT disrupt any live traffics and

achieving your requirements.

This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.

CCIE Security

Actions

This Discussion