Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1408
Views
0
Helpful
5
Replies

Access-lists with tpc-udp object-group

Go to solution
jsaumer2006
Level 1
Level 1

‎10-01-2009 01:32 PM - edited ‎03-11-2019 09:22 AM

I am converting from my pix to a ASA 5505.

I am having issues making an access list that includes a tcp-udp object-group.

Is there a recommended practice for doing this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to jsaumer2006

‎10-01-2009 07:36 PM

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

Jorge Rodriguez

View solution in original post

0 Helpful
5 Replies 5

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎10-01-2009 02:44 PM

These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094

Regards

Jorge Rodriguez
0 Helpful

Go to solution
jsaumer2006
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎10-01-2009 06:02 PM

When I try and make the access list entry it is giving me the following error message in the ASDM

[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx

specified object group has wrong type; expecting protocol type

The object-group Test is in the config as the following:

object-group service Test tcp-udp

port-object range 20 21

port-object eq 22

port-object eq 55

port-object eq 5631

port-object eq 5632

port-object range 9500 9505

port-object eq www

The Test group is made as the following:

object-group network Test_Group

network-object host Test_3

network-object host Test_2

network-object host Test_1

network-object host Test_4

Thanks in advance

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to jsaumer2006

‎10-01-2009 07:36 PM

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

Jorge Rodriguez
0 Helpful

Go to solution
jsaumer2006
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎10-02-2009 05:30 AM

I think my problem was that I was using the ASDM top put in the rules.

Using the command line, I didn't have any issues.

Thanks for the guidance.

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to jsaumer2006

‎10-02-2009 05:56 AM

Jayson, glad worked out .. PLS rate helpful post if helped.

Regards

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card