Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

object-group?

Thanks for reading!

I want to organize these tcp ports into an object group on my ASA5520.  The ACLs are organized and I want to keep it that way.  The only option I know of is to enter the rule 7 times - doh!

8443
8888
9000
8081
8000
1099
9011

Seems like it should be easy but I'm just not getting the right search string to find an answer.                  

Thanks,

Bob

5 REPLIES
New Member

object-group?

I am not quiet understanding your question… so you have an acl applied on an interface already and you don’t want it to be changed? By change you mean the order of actual acls entries?

New Member

object-group?

Hi Saqib,

Thanks for taking the time to read and answer!

What I'm trying to do is add a new rule allowing a DMZ server (x.x.x.x) to connect to an internal server (b.b.b.b) over a handful of tcp ports.  I could enter  (basically) the same command 7 times,

access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8443
access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8888
...

access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 9011

only changing the permitted port.  I'm hoping there's an option to aggregate the tcp ports into some kind of group and then invoke the group in only one new ACL rule.  That way, I keep the list 6 lines shorter.

That's really my goal (apart from making the stuff work - heh): adding fewer lines to the ACL

Thanks again,
Bob

object-group?

Hello Bob,

Let's say I have an internal server with IP address of 2.2.2.3

object-group service TEST

service-object tcp destination eq 8888

service-object tcp destination eq 8081

access-list Out-In extended permit object-group TEST any host 2.2.2.3

access-group Out-In in interface Outside

ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025  2.2.2.3 8888

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   2.2.2.0         255.255.255.0   Inside_1

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Out-In in interface Outside

access-list Out-In extended permit object-group TEST any host 2.2.2.3

object-group service TEST

service-object tcp destination eq 8888

service-object tcp destination eq 8081

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2, packet dispatched to next module

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside_1

output-status: up

output-line-status: up

Action: allow

That's it!! And remember to register on my website for more information

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

object-group?

Hi Julio,

Thanks for taking time to generate this example.  Sorry to be obtuse: could you dumb this down a little?

I think I'm seeeing object-group service TEST is where I'd create 7 service objects?

service-object tcp destination eq 8443
service-object tcp destination eq 8888
service-object tcp destination eq 9000
service-object tcp destination eq 8081
service-object tcp destination eq 8000
service-object tcp destination eq 1099
service-object tcp destination eq 9011

And then invoke the object-group like so:

access-list MY_NAMED_ACL extended permit object-group TEST DMZ_SERVER host 2.2.2.3

Am I correct?

Thanks again!
Bob

object-group?

Hi Bob,

No problem that's what we are here to help

Exactly you got it my friend.

Let me know how it goes and remember to subscribe to my website for future documentation such as the one I exposed here

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
134
Views
0
Helpful
5
Replies
CreatePlease to create content