Question about port usage on ASA

Unanswered Question
Mar 26th, 2009
User Badges:
  • Purple, 4500 points or more


I'm creating service groups, and I realized that I can have TCP, UDP, or TCP-UDP. You can only nest the same groups. (TCP can nest TCP, UDP in UDP, so on). The only way that you can mix tcp and udp port numbers is by creating the tcp-udp service group.

My question is that you can only define the ports and not the protocol that's using it. It would seem that if I put port 80 in a tcp-udp service group, that means I've opened www and udp 80.

Is this the case? Is there any other way around this? I do have groups that will require tcp and udp ports open. My only other alternative is to create the ports and then create separate ACLs to reference individual tcp and udp ports.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robertson.michael Thu, 03/26/2009 - 12:46
User Badges:
  • Silver, 250 points or more

Hi John,

I'm not clear on exactly what you are looking to do, but what you describe in your second paragraph is correct. If you enter a port-object of 80 in a tcp-udp group, this will open both TCP/80 and UDP/80.

In addition, the ACL that would reference this object-group does not discriminate in terms of protocols. That is to say that putting port 80 in a tcp-udp group would allow any/all traffic on TCP/80, not just HTTP traffic--the "www" is just an alias to make it easier to read the ACL statements.

Hope that helps.



This Discussion