Resquence ports in Pix service object-group?

Answered Question
Apr 4th, 2008
User Badges:

Say I have..


object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800


..and a few days later I configure


conf t

object-group service PORT-Web-App tcp


port-object eq 4000

port-object eq 6100


the result is


object-group service PORT-Web-App tcp

port-object eq 6400

port-object eq 6500

port-object eq 8800

port-object eq 4000

port-object eq 6100


Is there any way to resequence the object so it would appear like this in the config?


object-group service PORT-Web-App tcp

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800





Correct Answer by cisco24x7 about 9 years 1 month ago

This solution is a very simple one:


Original:


object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log


Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:


object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082




what you will do is this:


1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082


2- put this group-object inside test group:

object-group service test tcp

group-object temp


3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp


You will NOT disrupt any live traffics and

achieving your requirements.



This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.


CCIE Security




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Fri, 04/04/2008 - 18:18
User Badges:
  • Green, 3000 points or more

Yes you can.



object-group service PORT-Web-App tcp

no port-object eq 6400

no port-object eq 6500

no port-object eq 8800

no port-object eq 4000

no port-object eq 6100

port-object eq 4000

port-object eq 6100

port-object eq 6400

port-object eq 6500

port-object eq 8800



HTH

Rgds

Jorge

mmedwid Fri, 04/04/2008 - 18:26
User Badges:

Well fair enough. Guess I have to be more specific. :-) Removing ports temporarily would run the risk of interrupting conversations passing through the device. Is there any non-destructive way to sequence the service object group?

JORGE RODRIGUEZ Fri, 04/04/2008 - 18:52
User Badges:
  • Green, 3000 points or more

You may have to plan a change , the esiest way is to simply from a notepad text editor prepare the script copy and past it in firewall, I see no other way to no cause seconds disruption, if say you create another new object-group with proper sequencing you still will need to change the access lists mapped to old object-group to new object-group thus causing also disruption not to mention how many access-lists are using the old object-group.





Rgds

Jorge

Correct Answer
cisco24x7 Fri, 04/04/2008 - 20:27
User Badges:
  • Silver, 250 points or more

This solution is a very simple one:


Original:


object-group service test tcp

port-object eq 8080

port-object eq 8081

port-object eq 8082

port-object eq 22

port-object eq 21

port-object eq 23

port-object eq 8000

access-list External extended permit icmp any any log

access-list External extended permit tcp any any object-group test log


Now you want to re-arrange so that it will look something WITHOUT disrupting the traffics:


object-group service test tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082




what you will do is this:


1- create a temp group-object:

object-group service temp tcp

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082


2- put this group-object inside test group:

object-group service test tcp

group-object temp


3- Now remove the following lines inside test:

no port-object eq 8080

no port-object eq 8081

no port-object eq 8082

no port-object eq 22

no port-object eq 21

no port-object eq 23

no port-object eq 8000

port-object eq 21

port-object eq 22

port-object eq 23

port-object eq 8000

port-object eq 8080

port-object eq 8081

port-object eq 8082

no group-object temp


You will NOT disrupt any live traffics and

achieving your requirements.



This is the reason why I hate Pix. A very

complicate and stupid way of doing something very simple as this.


CCIE Security




Actions

This Discussion