I have a service object group of type 'tcp-udp'. When creating an ACL based around this, I don't have the option of type 'tcp-udp'. I'm trying to figure out what the point of tcp-udp groups are, if at the end of the day you still have to make two ACL's one for tcp and one for udp. Is there a way to make one ACL for groups of this nature.. for instance:
access-list crypto_1 extended permit ip any any object-group APP_tcp_udp_group
Best Answer
If you are using a Cisco PIX 6.2(2) and later or ASA 7.0 and later as your firewall you can do the following:
Create an object-group service, but don't specify tcp-udp after you name it.
Once you hit enter you will be able to use the service-object command to define what udp, tcp, or tcp-udp ports you want, as well as if it is a source or destination port.
Then you can use that object-group after your permit/deny command when you create your ACL.
Here is what I setup in my lab:
When you do a "show access-list TestACL" the following will show:
since my service-object for destination www was tcp-udp it created 2 lines in my ACL.
I used the following link to help create my lab: Using and Configuring PIX/ASA/FWSM Object Groups