Cisco Support Community

How to open a certain range of TCP and UDP ports on the PIX Firewall with object-groups

Core issue

Object grouping allows objects such as IP hosts, networks, protocols, ports, and Internet Control Message Protocol (ICMP) types to be collected into object groups. Once configured, an object group can be used with the standard conduit or Access Control List (ACL) PIX Firewall commands in order to reference all objects within that group. This reduces the configuration size.


In order to open certain range of TCP or UDP ports on PIX, use the service object group and define it in an ACL or conduit. Refer to this configuration example:

PIX (config)#object-group service  tcp
PIX(config-service)#port-object range <_1-65535>
PIX (config)#object-group service  udp
PIX(config-service)#port-object range <_1-65535>

Bind the object-groups with access-lists:

PIX (config)#access-list permit tcp any any object-group
PIX (config)#access-list permit udp any any object-group

Refer to the Service Configuration section of Using and Configuring PIX/ASA Object Groups for more information.