i use object groups for my cisco 1800 routers. the egress acl has a line (shown below) that permits staff to initiate remote desktop (RDP) connections from their computers on the office network vlan1 to any other computer.
permit object-group rdp_ports object-group vlan1 any
staff also need to vpn in from home and use RDP to access their office computers from home. however, they cannot. i appended a line at the end of the egress acl to log everything and found this when i do a show log:
list egress denied tcp 172.16.253.126(3389) -> 10.253.10.2(55661)
this shows that i need to allow computers on vlan1 (172.16.253.0/24) with a source port of 3389 to go anywhere (10.253.10.0/24 is the vpn address of the home computer in this case). i appended the following line to the acl and it worked and staff can remote in and do RDP.
permit tcp object-group vlan1 eq 3389 any
question: how can i convert the line above to use object-group rdp_ports (shown below)? i would like this include ports for both PCs and MACs and special RDP ports.
object-group service rdp_ports
I will file a documentation defect to correct the link that I pasted in my previous response.
Service object-group has to be before the source object-group.
Here is how you can use source and destination port configurations.
Object-group service srv-obj
tcp source 53 ------- source port - 53
tcp 23 ------- destination port - 23
To add more than one source port in a single Object group -
Object-group service srv-og
Tcp source 53
tcp source 80
udp source 67
udp source 68
Then you can call this service port first then, source object-group then, destination object-group.
I hope it is clear.