https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432385#M270364 <P>Running 8.2(3) on an ASA 5510</P><P></P><P>I have created the two following object groups. </P><P></P><P><SPAN style="font-family: courier new,courier;">object-group service gatewayTCP tcp</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 88</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 135</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 445</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq ldaps</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 3268</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 3269</SPAN></P><P><SPAN style="font-family: courier new,courier;">object-group service gatewayTCP-UDP tcp-udp</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq domain</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 389</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 464</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object range 49152 65535</SPAN></P><P></P><P>I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly? </P><P></P><P><SPAN style="font-family: courier new,courier;">access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP</SPAN></P><P><SPAN style="font-family: courier new,courier;">access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP</SPAN></P><P></P><P>Is this a bug with service object groups? Is there some place I need to enable this feature? </P> Tue, 12 Mar 2019 03:39:52 GMT Tyler Woods 2019-03-12T03:39:52Z https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432385#M270364 <P>Running 8.2(3) on an ASA 5510</P><P></P><P>I have created the two following object groups. </P><P></P><P><SPAN style="font-family: courier new,courier;">object-group service gatewayTCP tcp</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 88</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 135</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 445</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq ldaps</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 3268</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 3269</SPAN></P><P><SPAN style="font-family: courier new,courier;">object-group service gatewayTCP-UDP tcp-udp</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq domain</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 389</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object eq 464</SPAN></P><P><SPAN style="font-family: courier new,courier;"> port-object range 49152 65535</SPAN></P><P></P><P>I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly? </P><P></P><P><SPAN style="font-family: courier new,courier;">access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP</SPAN></P><P><SPAN style="font-family: courier new,courier;">access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP</SPAN></P><P></P><P>Is this a bug with service object groups? Is there some place I need to enable this feature? </P> Tue, 12 Mar 2019 03:39:52 GMT https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432385#M270364 Tyler Woods 2019-03-12T03:39:52Z https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432386#M270369 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Have you tried configuring it like this</P><P></P><P><STRONG>object-group service GATEWAY-SERVICES</STRONG></P><P><STRONG> service-object tcp eq 88</STRONG></P><P><STRONG> service-object tcp eq 135</STRONG></P><P><STRONG> service-object tcp eq 445</STRONG></P><P><STRONG> service-object tcp eq ldaps</STRONG></P><P><STRONG> service-object tcp eq 3268</STRONG></P><P><STRONG> service-object tcp eq 3269</STRONG></P><P><STRONG> service-object tcp eq 53</STRONG></P><P><STRONG> service-object udp eq 53</STRONG></P><P><STRONG> service-object tcp eq 389</STRONG></P><P><STRONG> service-object udp eq 389</STRONG></P><P><STRONG> service-object tcp eq 464</STRONG></P><P><STRONG> service-object udp eq 464</STRONG></P><P><STRONG> service-object tcp range 49152 65535</STRONG></P><P><STRONG> service-object udp eq 49152 65535</STRONG></P><P></P><P><STRONG>access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203</STRONG></P><P></P><P>I am not sure if it was only after software 8.3+ that the command under the actual <STRONG>"object-group"</STRONG> was of format <STRONG>"service-object tcp source" / "service-object tcp destination"</STRONG> (or the same for UDP)</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 03 Feb 2014 23:19:31 GMT https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432386#M270369 Jouni Forss 2014-02-03T23:19:31Z https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432387#M270374 <HTML><HEAD></HEAD><BODY><P>I did not. My ASA appears to be taking those commands without issue. Will give that a try and report back. Thank you.</P></BODY></HTML> Mon, 03 Feb 2014 23:24:53 GMT https://community.cisco.com/t5/network-security/implementing-quot-object-group-service-quot/m-p/2432387#M270374 Tyler Woods 2014-02-03T23:24:53Z