https://community.cisco.com/t5/network-security/object-group/m-p/2313171#M311659 <HTML><HEAD></HEAD><BODY><P>Hello Bob,</P><P></P><P>Let's say I have an internal server with IP address of 2.2.2.3</P><P></P><P>object-group service TEST</P><P> service-object tcp destination eq 8888</P><P> service-object tcp destination eq 8081</P><P></P><P>access-list Out-In extended permit object-group TEST any host 2.2.2.3</P><P></P><P>access-group Out-In in interface Outside</P><P></P><P></P><P>ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025&nbsp; 2.2.2.3 8888</P><P></P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 2.2.2.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; Inside_1</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group Out-In in interface Outside</P><P>access-list Out-In extended permit object-group TEST any host 2.2.2.3</P><P>object-group service TEST</P><P> service-object tcp destination eq 8888</P><P> service-object tcp destination eq 8081</P><P>Additional Information:</P><P></P><P></P><P>Phase: 3</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 2, packet dispatched to next module</P><P></P><P></P><P>Result:</P><P>input-interface: Outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Inside_1</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P></P><P>That's it!! And remember to register on my website for more information </P><P></P><P></P><P>For more information about Core and Security Networking follow my website at <STRONG><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN></STRONG><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Wed, 02 Oct 2013 17:27:42 GMT Julio Carvajal 2013-10-02T17:27:42Z https://community.cisco.com/t5/network-security/object-group/m-p/2313169#M311657 <P>Thanks for reading!</P><P></P><P>I want to organize these tcp ports into an object group on my ASA5520.&nbsp; The ACLs are organized and I want to keep it that way.&nbsp; The only option I know of is to enter the rule 7 times - doh!</P><P></P><P>8443<BR />8888<BR />9000<BR />8081<BR />8000<BR />1099<BR />9011</P><P></P><P><EM>Seems </EM>like it should be easy but I'm just not getting the right search string to find an answer.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>Thanks,</P><P>Bob</P> Tue, 12 Mar 2019 02:46:16 GMT https://community.cisco.com/t5/network-security/object-group/m-p/2313169#M311657 Bob Greer 2019-03-12T02:46:16Z https://community.cisco.com/t5/network-security/object-group/m-p/2313170#M311658 <HTML><HEAD></HEAD><BODY><P>I am not quiet understanding your question… so you have an acl applied on an interface already and you don’t want it to be changed? By change you mean the order of actual acls entries?</P></BODY></HTML> Wed, 02 Oct 2013 17:16:45 GMT https://community.cisco.com/t5/network-security/object-group/m-p/2313170#M311658 Saqib Raza 2013-10-02T17:16:45Z https://community.cisco.com/t5/network-security/object-group/m-p/2313171#M311659 <HTML><HEAD></HEAD><BODY><P>Hello Bob,</P><P></P><P>Let's say I have an internal server with IP address of 2.2.2.3</P><P></P><P>object-group service TEST</P><P> service-object tcp destination eq 8888</P><P> service-object tcp destination eq 8081</P><P></P><P>access-list Out-In extended permit object-group TEST any host 2.2.2.3</P><P></P><P>access-group Out-In in interface Outside</P><P></P><P></P><P>ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025&nbsp; 2.2.2.3 8888</P><P></P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 2.2.2.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; Inside_1</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group Out-In in interface Outside</P><P>access-list Out-In extended permit object-group TEST any host 2.2.2.3</P><P>object-group service TEST</P><P> service-object tcp destination eq 8888</P><P> service-object tcp destination eq 8081</P><P>Additional Information:</P><P></P><P></P><P>Phase: 3</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 2, packet dispatched to next module</P><P></P><P></P><P>Result:</P><P>input-interface: Outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Inside_1</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P></P><P>That's it!! And remember to register on my website for more information </P><P></P><P></P><P>For more information about Core and Security Networking follow my website at <STRONG><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN></STRONG><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Wed, 02 Oct 2013 17:27:42 GMT https://community.cisco.com/t5/network-security/object-group/m-p/2313171#M311659 Julio Carvajal 2013-10-02T17:27:42Z https://community.cisco.com/t5/network-security/object-group/m-p/2313172#M311660 <HTML><HEAD></HEAD><BODY><P>Hi Saqib,</P><P></P><P>Thanks for taking the time to read and answer!</P><P></P><P>What I'm trying to do is add a new rule allowing a DMZ server (x.x.x.x) to connect to an internal server (b.b.b.b) over a handful of tcp ports.&nbsp; I could enter&nbsp; (basically) the same command 7 times,</P><P></P><P>access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8443<BR />access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 8888<BR />...</P><P>access-list ACL_DMZ-INET_IN extended permit tcp host x.x.x.x host b.b.b.b eq 9011</P><P></P><P>only changing the permitted port.&nbsp; I'm hoping there's an option to aggregate the tcp ports into some kind of group and then invoke the group in only one new ACL rule.&nbsp; That way, I keep the list 6 lines shorter.</P><P></P><P>That's really my goal (apart from making the stuff work - heh): adding fewer lines to the ACL</P><P></P><P>Thanks again,<BR />Bob</P></BODY></HTML> Wed, 02 Oct 2013 18:59:55 GMT https://community.cisco.com/t5/network-security/object-group/m-p/2313172#M311660 Bob Greer 2013-10-02T18:59:55Z https://community.cisco.com/t5/network-security/object-group/m-p/2313173#M311661 <HTML><HEAD></HEAD><BODY><P>Hi Julio,</P><P></P><P>Thanks for taking time to generate this example.&nbsp; Sorry to be obtuse: could you dumb this down a little?</P><P>I think I'm seeeing object-group service TEST is where I'd create 7 service objects?</P><P></P><P>service-object tcp destination eq 8443<BR />service-object tcp destination eq 8888<BR />service-object tcp destination eq 9000<BR />service-object tcp destination eq 8081<BR />service-object tcp destination eq 8000<BR />service-object tcp destination eq 1099<BR />service-object tcp destination eq 9011</P><P></P><P>And then invoke the object-group like so:</P><P></P><P>access-list MY_NAMED_ACL extended permit object-group TEST DMZ_SERVER host 2.2.2.3</P><P></P><P>Am I correct?</P><P>Thanks again!<BR />Bob</P></BODY></HTML> Wed, 02 Oct 2013 19:14:04 GMT https://community.cisco.com/t5/network-security/object-group/m-p/2313173#M311661 Bob Greer 2013-10-02T19:14:04Z https://community.cisco.com/t5/network-security/object-group/m-p/2313174#M311662 <HTML><HEAD></HEAD><BODY><P>Hi Bob,</P><P></P><P>No problem that's what we are here to help <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P>Exactly you got it my friend.</P><P></P><P>Let me know how it goes and remember to subscribe to my website for future documentation such as the one I exposed here</P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Wed, 02 Oct 2013 19:18:47 GMT https://community.cisco.com/t5/network-security/object-group/m-p/2313174#M311662 Julio Carvajal 2013-10-02T19:18:47Z