10-01-2009 01:32 PM - edited 03-11-2019 09:22 AM
I am converting from my pix to a ASA 5505.
I am having issues making an access list that includes a tcp-udp object-group.
Is there a recommended practice for doing this?
Solved! Go to Solution.
10-01-2009 07:36 PM
You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:
access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group
10-01-2009 02:44 PM
These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094
Regards
10-01-2009 06:02 PM
When I try and make the access list entry it is giving me the following error message in the ASDM
[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx
specified object group
The object-group Test is in the config as the following:
object-group service Test tcp-udp
port-object range 20 21
port-object eq 22
port-object eq 55
port-object eq 5631
port-object eq 5632
port-object range 9500 9505
port-object eq www
The Test group is made as the following:
object-group network Test_Group
network-object host Test_3
network-object host Test_2
network-object host Test_1
network-object host Test_4
Thanks in advance
10-01-2009 07:36 PM
You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:
access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group
10-02-2009 05:30 AM
I think my problem was that I was using the ASDM top put in the rules.
Using the command line, I didn't have any issues.
Thanks for the guidance.
10-02-2009 05:56 AM
Jayson, glad worked out .. PLS rate helpful post if helped.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide