10-01-2009 01:32 PM - edited 03-11-2019 09:22 AM
I am converting from my pix to a ASA 5505.
I am having issues making an access list that includes a tcp-udp object-group.
Is there a recommended practice for doing this?
Solved! Go to Solution.
10-01-2009 07:36 PM
You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:
access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group
10-01-2009 02:44 PM
These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094
Regards
10-01-2009 06:02 PM
When I try and make the access list entry it is giving me the following error message in the ASDM
[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx
specified object group
The object-group Test is in the config as the following:
object-group service Test tcp-udp
port-object range 20 21
port-object eq 22
port-object eq 55
port-object eq 5631
port-object eq 5632
port-object range 9500 9505
port-object eq www
The Test group is made as the following:
object-group network Test_Group
network-object host Test_3
network-object host Test_2
network-object host Test_1
network-object host Test_4
Thanks in advance
10-01-2009 07:36 PM
You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:
access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test
in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group
10-02-2009 05:30 AM
I think my problem was that I was using the ASDM top put in the rules.
Using the command line, I didn't have any issues.
Thanks for the guidance.
10-02-2009 05:56 AM
Jayson, glad worked out .. PLS rate helpful post if helped.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: