Use of TCP-UDP-Service Groups in ASDM

Answered Question
Jun 17th, 2008

Hi


I use a Cisco ASDM 5.2F for ASDM.

There is the possibility of defining TCP-UDP Service Groups. What's the use of this? I've tried it out and failed. Whenever you create an access rule you have to define either whether it's TCP or UDP (or IP, or ICMP). If you define an access rule for TCP then the UDP protocols won't work and vice versa.

I've successfully been using TCP-UDP-Groups on Checkpoint Firewalls, but in Cisco ASDM it seems futile.

Correct Answer by Farrukh Haroon about 8 years 8 months ago

This feature was introduced 'in parity' of Checkpoint only, as per the ASA 8.0 TAC training.


I'm not really that good with ASDM, but here is how you can configure them on the CLI (and no there are not futile, pretty useful actually):


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv


Note: Enhanced service object-groups were introduced with the release of software version 8.0. Enhanced service object-groups enable the ASA/PIX to combine IP protocols together in the same service group, which eliminates the need for protocol and icmp-type specific object groups. The protocol type must not be specified in order to configure an enhanced service object-group


Btw are you using an ASA or a FWSM? Is'nt ASDM 5.2F supposed to be for the FWSM?


Regards


Farrukh


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Tue, 06/17/2008 - 02:37

This feature was introduced 'in parity' of Checkpoint only, as per the ASA 8.0 TAC training.


I'm not really that good with ASDM, but here is how you can configure them on the CLI (and no there are not futile, pretty useful actually):


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv


Note: Enhanced service object-groups were introduced with the release of software version 8.0. Enhanced service object-groups enable the ASA/PIX to combine IP protocols together in the same service group, which eliminates the need for protocol and icmp-type specific object groups. The protocol type must not be specified in order to configure an enhanced service object-group


Btw are you using an ASA or a FWSM? Is'nt ASDM 5.2F supposed to be for the FWSM?


Regards


Farrukh


Beat.Traber Tue, 06/17/2008 - 02:44

Thanks a lot, and yes, of course I'm using ASDM on top of a FWSM.

I'll try and configure it on the CLI.

Farrukh Haroon Tue, 06/17/2008 - 03:32

I'm sorry I did not read your post carefully the first time. I don't think the feature mentioned in the link is supported on the FWSM.


Regard what you are trying to achive, this is from one of my earlier posts:


When you define the object-group using both the tcp-udp keyword, there is no real security issue here. Because service type object-group is just defining the ports, you would still need two seperate ACLs here, for example:


access-list 100 permit tcp any host 5.5.5.5 object-group ntp

access-list 100 permit udp any host 5.5.5.5 object-group ntp


Of course you could make a separate protocol object-group to combine both tcp and udp into one (I do this at work), for example


object-group protocol TCP-UDP

protocol-object udp

protocol-object tcp


This would make above ACL like this:


access-list 100 permit object-group tcp-udp any host 5.5.5.5 object-group ntp


HTH


Regards


Farrukh

Actions

This Discussion