Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-lists with tpc-udp object-group

I am converting from my pix to a ASA 5505.

I am having issues making an access list that includes a tcp-udp object-group.

Is there a recommended practice for doing this?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access-lists with tpc-udp object-group

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

5 REPLIES

Re: Access-lists with tpc-udp object-group

These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094

Regards

New Member

Re: Access-lists with tpc-udp object-group

When I try and make the access list entry it is giving me the following error message in the ASDM

[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx

specified object group has wrong type; expecting protocol type

The object-group Test is in the config as the following:

object-group service Test tcp-udp

port-object range 20 21

port-object eq 22

port-object eq 55

port-object eq 5631

port-object eq 5632

port-object range 9500 9505

port-object eq www

The Test group is made as the following:

object-group network Test_Group

network-object host Test_3

network-object host Test_2

network-object host Test_1

network-object host Test_4

Thanks in advance

Re: Access-lists with tpc-udp object-group

You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:

access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test

in above permit tcp and upd inbound rules example you must use network object group follow by destination host inside xxx.xxx.xxx.xxx follow by service tcp-udp test object-group

New Member

Re: Access-lists with tpc-udp object-group

I think my problem was that I was using the ASDM top put in the rules.

Using the command line, I didn't have any issues.

Thanks for the guidance.

Re: Access-lists with tpc-udp object-group

Jayson, glad worked out .. PLS rate helpful post if helped.

Regards

601
Views
0
Helpful
5
Replies