Access-lists with tpc-udp object-group

Answered Question
Oct 1st, 2009

I am converting from my pix to a ASA 5505.

I am having issues making an access list that includes a tcp-udp object-group.

Is there a recommended practice for doing this?

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 3 months ago

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Thu, 10/01/2009 - 14:44

These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094

Regards

jsaumer2006 Thu, 10/01/2009 - 18:02

When I try and make the access list entry it is giving me the following error message in the ASDM

[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx

specified object group has wrong type; expecting protocol type

The object-group Test is in the config as the following:

object-group service Test tcp-udp

port-object range 20 21

port-object eq 22

port-object eq 55

port-object eq 5631

port-object eq 5632

port-object range 9500 9505

port-object eq www

The Test group is made as the following:

object-group network Test_Group

network-object host Test_3

network-object host Test_2

network-object host Test_1

network-object host Test_4

Thanks in advance

Correct Answer
JORGE RODRIGUEZ Thu, 10/01/2009 - 19:36

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

jsaumer2006 Fri, 10/02/2009 - 05:30

I think my problem was that I was using the ASDM top put in the rules.

Using the command line, I didn't have any issues.

Thanks for the guidance.

Actions

This Discussion