Cisco – How to use tcp-udp objects in a single ACL

aclciscocisco-asafirewall

I have a service object group of type 'tcp-udp'. When creating an ACL based around this, I don't have the option of type 'tcp-udp'. I'm trying to figure out what the point of tcp-udp groups are, if at the end of the day you still have to make two ACL's one for tcp and one for udp. Is there a way to make one ACL for groups of this nature.. for instance:

access-list crypto_1 extended permit ip any any object-group APP_tcp_udp_group

Best Answer

If you are using a Cisco PIX 6.2(2) and later or ASA 7.0 and later as your firewall you can do the following:

Create an object-group service, but don't specify tcp-udp after you name it.

Once you hit enter you will be able to use the service-object command to define what udp, tcp, or tcp-udp ports you want, as well as if it is a source or destination port.

Then you can use that object-group after your permit/deny command when you create your ACL.

Here is what I setup in my lab:

object-group service LabTest
     service-object udp destination eq domain
     service-object tcp-udp destination eq www

access-list TestACL extended permit object-group LabTest any any

When you do a "show access-list TestACL" the following will show:

access-list TestACL line 1 extended permit object-group LabTest any any (hitcnt=0) 
access-list TestACL line 1 extended permit udp any any eq domain (hitcnt=0) 
access-list TestACL line 1 extended permit tcp any any eq www (hitcnt=0) 
access-list TestACL line 1 extended permit udp any any eq www (hitcnt=0)

since my service-object for destination www was tcp-udp it created 2 lines in my ACL.

I used the following link to help create my lab: Using and Configuring PIX/ASA/FWSM Object Groups

Best Answer

Related Solutions

Cisco ASA 5505 stop passing traffic randomly

Cisco ASA – Possible ARP Issue Troubleshooting

Related Topic