Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Question about port usage on ASA


I'm creating service groups, and I realized that I can have TCP, UDP, or TCP-UDP. You can only nest the same groups. (TCP can nest TCP, UDP in UDP, so on). The only way that you can mix tcp and udp port numbers is by creating the tcp-udp service group.

My question is that you can only define the ports and not the protocol that's using it. It would seem that if I put port 80 in a tcp-udp service group, that means I've opened www and udp 80.

Is this the case? Is there any other way around this? I do have groups that will require tcp and udp ports open. My only other alternative is to create the ports and then create separate ACLs to reference individual tcp and udp ports.



HTH, John *** Please rate all useful posts ***

Re: Question about port usage on ASA

Hi John,

I'm not clear on exactly what you are looking to do, but what you describe in your second paragraph is correct. If you enter a port-object of 80 in a tcp-udp group, this will open both TCP/80 and UDP/80.

In addition, the ACL that would reference this object-group does not discriminate in terms of protocols. That is to say that putting port 80 in a tcp-udp group would allow any/all traffic on TCP/80, not just HTTP traffic--the "www" is just an alias to make it easier to read the ACL statements.

Hope that helps.


CreatePlease to create content