Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
5
Replies

object-group?

Bob Greer
Level 4
Level 4

‎10-02-2013 08:46 AM - edited ‎03-11-2019 07:46 PM

Thanks for reading!

I want to organize these tcp ports into an object group on my ASA5520.  The ACLs are organized and I want to keep it that way.  The only option I know of is to enter the rule 7 times - doh!

8443
8888
9000
8081
8000
1099
9011

Seems like it should be easy but I'm just not getting the right search string to find an answer.                  

Thanks,

Bob

Labels:
0 Helpful
5 Replies 5

Saqib Raza
Level 1
Level 1

‎10-02-2013 10:16 AM

I am not quiet understanding your question… so you have an acl applied on an interface already and you don’t want it to be changed? By change you mean the order of actual acls entries?

0 Helpful

Bob Greer
Level 4
Level 4
In response to Saqib Raza

‎10-02-2013 11:59 AM

Hi Saqib,

Thanks for taking the time to read and answer!

What I'm trying to do is add a new rule allowing a DMZ server (x.x.x.x) to connect to an internal server (b.b.b.b) over a handful of tcp ports.  I could enter  (basically) the same command 7 times,

access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8443
access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8888
...

access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 9011

only changing the permitted port.  I'm hoping there's an option to aggregate the tcp ports into some kind of group and then invoke the group in only one new ACL rule.  That way, I keep the list 6 lines shorter.

That's really my goal (apart from making the stuff work - heh): adding fewer lines to the ACL

Thanks again,
Bob

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-02-2013 10:27 AM

Hello Bob,

Let's say I have an internal server with IP address of 2.2.2.3

object-group service TEST

service-object tcp destination eq 8888

service-object tcp destination eq 8081

access-list Out-In extended permit object-group TEST any host 2.2.2.3

access-group Out-In in interface Outside

ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025  2.2.2.3 8888

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   2.2.2.0         255.255.255.0   Inside_1

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Out-In in interface Outside

access-list Out-In extended permit object-group TEST any host 2.2.2.3

object-group service TEST

service-object tcp destination eq 8888

service-object tcp destination eq 8081

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2, packet dispatched to next module

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside_1

output-status: up

output-line-status: up

Action: allow

That's it!! And remember to register on my website for more information

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Bob Greer
Level 4
Level 4
In response to Julio Carvajal

‎10-02-2013 12:14 PM

Hi Julio,

Thanks for taking time to generate this example.  Sorry to be obtuse: could you dumb this down a little?

I think I'm seeeing object-group service TEST is where I'd create 7 service objects?

service-object tcp destination eq 8443
service-object tcp destination eq 8888
service-object tcp destination eq 9000
service-object tcp destination eq 8081
service-object tcp destination eq 8000
service-object tcp destination eq 1099
service-object tcp destination eq 9011

And then invoke the object-group like so:

access-list MY_NAMED_ACL extended permit object-group TEST DMZ_SERVER host 2.2.2.3

Am I correct?

Thanks again!
Bob

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Bob Greer

‎10-02-2013 12:18 PM

Hi Bob,

No problem that's what we are here to help

Exactly you got it my friend.

Let me know how it goes and remember to subscribe to my website for future documentation such as the one I exposed here

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card