When it comes to managing access rules in Cisco ASAs I always use ASDM because it's easier for me to visualize, troubleshoot and manage.
I recently created a VPN filter for a S2S IPsec VPN and noticed something strange. TCP/UDP object groups do not appear to be working as they normally do in an access rule vice ACL Manager for VPN filters. I had to create an IP object and specify source/dest ports instead.
Here's what ASDM preview enters into CLI. Keep in mind src/dst syntax for VPN filters is backwards.
using TCP object group (doesn't work):
access-list Site1_VPN_Filter line 14 extended permit tcp object-group Site2 object-group Site1 object-group rdp
using IP object group (does work):
access-list Site1_VPN_Filter line 15 extended permit object rdp-vpnf object-group Site2 object-group Site1
object groups:
object-group service rdp tcp
port-object eq 3389
object service rdp-vpnf
service tcp source eq 3389
I've used TCP and UDP object groups for years in access rules without problems until I tried to use one in an ACL for a VPN filter.
Is this just odd Cisco behavior explained by a bug/syntax error or is there a legit reason it has to be this way?
Appreciate any insight!
Best Answer
In your TCP object group variant, you defined "Any TCP from Site2 to Site1 destined to TCP 3389".
The port-object variant is "TCP sourced from 3389 from Site2 to Any TCP Site1".
Since it's reversed as you said, does this work:
Related feature request, hopefully they get on this soon: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsf99428
VPN Filter details for reference as well:
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc4