Solved: Access-lists with tpc-udp object-group

jsaumer2006 · ‎10-01-2009

I am converting from my pix to a ASA 5505.

I am having issues making an access list that includes a tcp-udp object-group.

Is there a recommended practice for doing this?

JORGE RODRIGUEZ · ‎10-01-2009

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎10-01-2009

These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094

Regards

Jorge Rodriguez

jsaumer2006 · ‎10-01-2009

When I try and make the access list entry it is giving me the following error message in the ASDM

[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx

specified object group has wrong type; expecting protocol type

The object-group Test is in the config as the following:

object-group service Test tcp-udp

port-object range 20 21

port-object eq 22

port-object eq 55

port-object eq 5631

port-object eq 5632

port-object range 9500 9505

port-object eq www

The Test group is made as the following:

object-group network Test_Group

network-object host Test_3

network-object host Test_2

network-object host Test_1

network-object host Test_4

Thanks in advance

JORGE RODRIGUEZ · ‎10-01-2009

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

Jorge Rodriguez

jsaumer2006 · ‎10-02-2009

I think my problem was that I was using the ASDM top put in the rules.

Using the command line, I didn't have any issues.

Thanks for the guidance.

JORGE RODRIGUEZ · ‎10-02-2009

Jayson, glad worked out .. PLS rate helpful post if helped.

Regards

Jorge Rodriguez