Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is there a way to group UDP and TCP services?

Hi there,

We're currently doing a migration from some Checkpoint firewalls to PIX 7.x. The ASDM has advanced tremendously since PDM on 6.x, and I'm starting to think it might be of value to use it, versus the CLI.

But one thing we've noticed: Checkpoint has a handy feature that allows the creation of 'service-groups' that can have both UDP and TCP services together.

This makes the Checkpoint rulebase easy to read. On the PIX at present, where its been necessary to have both udp and tcp permitted to a destination, I've had to create 2 separate acl's, one for udp, one for tcp.

Anyone know of a way to unite tcp and udp together in one group? I have a feeling the answer is no, as its not possible in the CLI, and the ASDM is, I think, just a 'visualisation' of the CLI.

TIA-

Gary

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Is there a way to group UDP and TCP services?

Hi .. sure you can use the object group service command ( I can't remember hhow to do it from the GUI as I don't have it in front of me right now ). You c an group udp ports, tcp ports or tcp and udp as well very similar to the way you can do it on Checkpoint.

object-group

To define object groups that you can use to optimize your configuration, use the object-group command

in global configuration mode. Use the no form of this command to remove object groups from the

configuration. This command supports IPv4 and IPv6 addresses.

object-group {protocol | network | icmp-type} obj_grp_id

no object-group {protocol | network | icmp-type} obj_grp_id

object-group service obj_grp_id {tcp | udp | tcp-udp}

I hope it helps ... please rate it if it does !!!

Re: Is there a way to group UDP and TCP services?

I don't think you're missing anything: you can't mix tcp and udp.

5 REPLIES

Re: Is there a way to group UDP and TCP services?

Hi .. sure you can use the object group service command ( I can't remember hhow to do it from the GUI as I don't have it in front of me right now ). You c an group udp ports, tcp ports or tcp and udp as well very similar to the way you can do it on Checkpoint.

object-group

To define object groups that you can use to optimize your configuration, use the object-group command

in global configuration mode. Use the no form of this command to remove object groups from the

configuration. This command supports IPv4 and IPv6 addresses.

object-group {protocol | network | icmp-type} obj_grp_id

no object-group {protocol | network | icmp-type} obj_grp_id

object-group service obj_grp_id {tcp | udp | tcp-udp}

I hope it helps ... please rate it if it does !!!

New Member

Re: Is there a way to group UDP and TCP services?

Thanks for answering, Fernando.

Let me qualify a little, I think my question was a little unclear.

On PIX, you can create a service group-object that can be either tcp, udp, or tcp-udp (where the service can use both kinds of transport.)

If you create a service group object called, for example, test-group, and define this a a tcp group, you then have a couple of options:

1)you can create individual tcp service objects and embed them in the group

2)you can add another service object group to this group (for example, one called sub-group).

However, with both options 1 and 2, the elements of the group must have the same transport-type as the 'parent-group'. So, in this case, they must all be tcp.

So: if I have created a service group object called, test-group, and defined this a a tcp group, I can add the following to this group:

1)individual tcp service objects (eg, tcp 80, tcp 443)

OR

2)another tcp service object group to this group (eg, one called sub-group).

However, what I cant seem to be able to do is:

Create a service group object called test-group, define this a a tcp-udp group, and add:

1)some individual tcp service objects (eg, tcp 80, tcp 443)

OR

2)another tcp service object group to this group.

As the top-level group object is tcp-udp, logically, all members of this group must also be tcp-udp.

This can be done in Checkpoint: a plain old group can be created and then any kind of service placed within it.

So, am I missing something, or can you create a group and add any kind of udp or tcp service within it?

my best regards to you-

Gary

Re: Is there a way to group UDP and TCP services?

I don't think you're missing anything: you can't mix tcp and udp.

New Member

Re: Is there a way to group UDP and TCP services?

Thanks Grant,

again, you're on the money. There does not seem to be a way to do this. A shame, really- it would make configs a whole lot neater.

regards-

New Member

Re: Is there a way to group UDP and TCP services?

I agree that this is how it should work; however I've "played" with TCP-UDP Service Groups and it appears to me that adding a port object to TCP-UDP service groups appears to only add a UDP port ACL entry, it does not add both. Is this a bug or am I missing something here.

170
Views
1
Helpful
5
Replies