10-02-2013 08:46 AM - edited 03-11-2019 07:46 PM
Thanks for reading!
I want to organize these tcp ports into an object group on my ASA5520. The ACLs are organized and I want to keep it that way. The only option I know of is to enter the rule 7 times - doh!
8443
8888
9000
8081
8000
1099
9011
Seems like it should be easy but I'm just not getting the right search string to find an answer.
Thanks,
Bob
10-02-2013 10:16 AM
I am not quiet understanding your question… so you have an acl applied on an interface already and you don’t want it to be changed? By change you mean the order of actual acls entries?
10-02-2013 11:59 AM
Hi Saqib,
Thanks for taking the time to read and answer!
What I'm trying to do is add a new rule allowing a DMZ server (x.x.x.x) to connect to an internal server (b.b.b.b) over a handful of tcp ports. I could enter (basically) the same command 7 times,
access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8443
access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8888
...
access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 9011
only changing the permitted port. I'm hoping there's an option to aggregate the tcp ports into some kind of group and then invoke the group in only one new ACL rule. That way, I keep the list 6 lines shorter.
That's really my goal (apart from making the stuff work - heh): adding fewer lines to the ACL
Thanks again,
Bob
10-02-2013 10:27 AM
Hello Bob,
Let's say I have an internal server with IP address of 2.2.2.3
object-group service TEST
service-object tcp destination eq 8888
service-object tcp destination eq 8081
access-list Out-In extended permit object-group TEST any host 2.2.2.3
access-group Out-In in interface Outside
ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 2.2.2.3 8888
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 2.2.2.0 255.255.255.0 Inside_1
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Out-In in interface Outside
access-list Out-In extended permit object-group TEST any host 2.2.2.3
object-group service TEST
service-object tcp destination eq 8888
service-object tcp destination eq 8081
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2, packet dispatched to next module
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside_1
output-status: up
output-line-status: up
Action: allow
That's it!! And remember to register on my website for more information
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-02-2013 12:14 PM
Hi Julio,
Thanks for taking time to generate this example. Sorry to be obtuse: could you dumb this down a little?
I think I'm seeeing object-group service TEST is where I'd create 7 service objects?
service-object tcp destination eq 8443
service-object tcp destination eq 8888
service-object tcp destination eq 9000
service-object tcp destination eq 8081
service-object tcp destination eq 8000
service-object tcp destination eq 1099
service-object tcp destination eq 9011
And then invoke the object-group like so:
access-list MY_NAMED_ACL extended permit object-group TEST DMZ_SERVER host 2.2.2.3
Am I correct?
Thanks again!
Bob
10-02-2013 12:18 PM
Hi Bob,
No problem that's what we are here to help
Exactly you got it my friend.
Let me know how it goes and remember to subscribe to my website for future documentation such as the one I exposed here
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide