https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650435#M593947 <HTML><HEAD></HEAD><BODY><P>So in this case, what benefit do I get from using enhanced service objects? Since I am only using port 80, 443 I could have used a protocol specific service object as indicated below, correct?</P><P></P><P>object-group service test tcp</P><P>port-object eq 80</P><P>port-object eq 443</P><P></P><P>So now I know the configuration I listed in my original post works, but again, am I really deriving any benefit from doing it that way? My guess is no. What do you think?</P></BODY></HTML> Tue, 18 Jan 2011 21:07:23 GMT ksarin123_2 2011-01-18T21:07:23Z https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650433#M593936 <DIV class="postbody">Hello All,<P></P>Can someone please explain this rule configured in a Cisco ASA firewall? Apparently, this rule was written to allow Internet access to a CORP office.<P></P>access-list CORP-IN extended permit object-group Web-Ports object CORP-USER-NET any<P></P>object-group service Web-Ports<BR />description Server access to internet ports<BR />service-object tcp destination eq www <BR />service-object tcp destination eq https<P></P>object network CORP-USER-NET <BR />subnet 10.218.0.0 255.255.255.128<BR />description CORP - User Network<P></P>Per my understanding, it should be configured as follows:<P></P>access-list CORP-IN extended permit object CORP-USER-NET any object-group Web-Ports.<P></P>To me, its almost configured backwards. But it's working, since users are able to get internet access. Can someone explain this?</DIV> Mon, 11 Mar 2019 19:36:53 GMT https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650433#M593936 ksarin123_2 2019-03-11T19:36:53Z https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650434#M593941 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Since your object-group Web-Ports consists of service objects, the way it is configured seems to be correct. You can check the access-list by issuing "show access-list CORP-IN" command.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv</A></P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Tue, 18 Jan 2011 20:36:33 GMT https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650434#M593941 Nagaraja Thanthry 2011-01-18T20:36:33Z https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650435#M593947 <HTML><HEAD></HEAD><BODY><P>So in this case, what benefit do I get from using enhanced service objects? Since I am only using port 80, 443 I could have used a protocol specific service object as indicated below, correct?</P><P></P><P>object-group service test tcp</P><P>port-object eq 80</P><P>port-object eq 443</P><P></P><P>So now I know the configuration I listed in my original post works, but again, am I really deriving any benefit from doing it that way? My guess is no. What do you think?</P></BODY></HTML> Tue, 18 Jan 2011 21:07:23 GMT https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650435#M593947 ksarin123_2 2011-01-18T21:07:23Z https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650436#M593954 <HTML><HEAD></HEAD><BODY><P>In your case, you are not getting any advantage. The enhanced service object is used when you need to group multiple protocols and ports into one group.</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Tue, 18 Jan 2011 21:09:09 GMT https://community.cisco.com/t5/network-security/firewall-rule-interpretation/m-p/1650436#M593954 Nagaraja Thanthry 2011-01-18T21:09:09Z