6

I have a service object group of type 'tcp-udp'. When creating an ACL based around this, I don't have the option of type 'tcp-udp'. I'm trying to figure out what the point of tcp-udp groups are, if at the end of the day you still have to make two ACL's one for tcp and one for udp. Is there a way to make one ACL for groups of this nature.. for instance:

access-list crypto_1 extended permit ip any any object-group APP_tcp_udp_group
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
A L
  • 3,310
  • 9
  • 33
  • 55
  • 2
    What device/version are you talking about? I just checked this against my ASA 5512 and when creating an ACL I can define the service as a "tcp-udp" service. Then when I check the ASA it automagically generates separate lines. access-list TEST line 1 extended permit object-group TCPUDP any eq domain any eq domain (hitcnt=0) 0x3236cae4 access-list TEST line 1 extended permit udp any eq domain any eq domain (hitcnt=0) 0x2284ad6f access-list TEST line 1 extended permit tcp any eq domain any eq domain (hitcnt=0) 0x46d15164 – John Kennedy Nov 27 '13 at 15:29
  • You learn something new every day.. so in the acl type you use the object group itself?? Need some time to look into it on my device. Using ASA5515 on 9.1 – A L Nov 27 '13 at 17:02

1 Answers1

6

If you are using a Cisco PIX 6.2(2) and later or ASA 7.0 and later as your firewall you can do the following:

Create an object-group service, but don't specify tcp-udp after you name it.

Once you hit enter you will be able to use the service-object command to define what udp, tcp, or tcp-udp ports you want, as well as if it is a source or destination port.

Then you can use that object-group after your permit/deny command when you create your ACL.

Here is what I setup in my lab:

object-group service LabTest
     service-object udp destination eq domain
     service-object tcp-udp destination eq www

access-list TestACL extended permit object-group LabTest any any

When you do a "show access-list TestACL" the following will show:

access-list TestACL line 1 extended permit object-group LabTest any any (hitcnt=0) 
access-list TestACL line 1 extended permit udp any any eq domain (hitcnt=0) 
access-list TestACL line 1 extended permit tcp any any eq www (hitcnt=0) 
access-list TestACL line 1 extended permit udp any any eq www (hitcnt=0)

since my service-object for destination www was tcp-udp it created 2 lines in my ACL.

I used the following link to help create my lab: Using and Configuring PIX/ASA/FWSM Object Groups

Luke
  • 114
  • 7
  • Hey Luke, I've had time to implement and this was the way to go, very very cool stuff, ty for taking the time to make a thorough answer! – A L Dec 06 '13 at 16:43