https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263678#M857904 <HTML><HEAD></HEAD><BODY><P>These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.</P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094</A></P><P></P><P>Regards</P><P></P></BODY></HTML> Thu, 01 Oct 2009 21:44:27 GMT JORGE RODRIGUEZ 2009-10-01T21:44:27Z https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263677#M857903 <P>I am converting from my pix to a ASA 5505.</P><P></P><P>I am having issues making an access list that includes a tcp-udp object-group. </P><P></P><P>Is there a recommended practice for doing this? </P><P></P><P></P> Mon, 11 Mar 2019 16:22:13 GMT https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263677#M857903 jsaumer2006 2019-03-11T16:22:13Z https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263678#M857904 <HTML><HEAD></HEAD><BODY><P>These are the guidelines.. you can create service group that includes tcp-udp ports but when creating the access list for example an inbound acl you must specify in your permit rule either udp or tcp, so you will need two access-list for each the udp and tcp protocol using same sevrice tcp-udp group.</P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094</A></P><P></P><P>Regards</P><P></P></BODY></HTML> Thu, 01 Oct 2009 21:44:27 GMT https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263678#M857904 JORGE RODRIGUEZ 2009-10-01T21:44:27Z https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263679#M857905 <HTML><HEAD></HEAD><BODY><P>When I try and make the access list entry it is giving me the following error message in the ASDM</P><P></P><P>[ERROR] access-list outside_access_in line 4 extended permit object-group Test_Group object-group Test host xxx.xx.xx.xxx</P><P> specified object group <TEST_GROUP> has wrong type; expecting protocol type</TEST_GROUP></P><P></P><P>The object-group Test is in the config as the following:</P><P></P><P>object-group service Test tcp-udp</P><P> port-object range 20 21</P><P> port-object eq 22</P><P> port-object eq 55</P><P> port-object eq 5631</P><P> port-object eq 5632</P><P> port-object range 9500 9505</P><P> port-object eq www</P><P></P><P>The Test group is made as the following:</P><P></P><P>object-group network Test_Group</P><P> network-object host Test_3</P><P> network-object host Test_2</P><P> network-object host Test_1</P><P> network-object host Test_4</P><P></P><P></P><P>Thanks in advance</P><P></P></BODY></HTML> Fri, 02 Oct 2009 01:02:39 GMT https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263679#M857905 jsaumer2006 2009-10-02T01:02:39Z https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263680#M857907 <HTML><HEAD></HEAD><BODY><P>You don't defined in your post where network group hosts are comming from nor where is xxx.xxx.xxx.xxx host, but looking at your acl name outside_access_in I will assume xxx.xxx.xxx.xxx is an inside host and your network group are hosts from the outside , the inbound rule will read as:</P><P></P><P>access-list outside_access_in extended permit tcp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test </P><P>access-list outside_access_in extended permit udp object-group Test_Group host xxx.xxx.xxx.xxx object-group Test </P><P></P><P></P><P>in above permit tcp and upd inbound rules example you must use <B>network</B> object group follow by destination host inside xxx.xxx.xxx.xxx follow by <B>service</B> tcp-udp test object-group </P><P></P></BODY></HTML> Fri, 02 Oct 2009 02:36:32 GMT https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263680#M857907 JORGE RODRIGUEZ 2009-10-02T02:36:32Z https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263681#M857909 <HTML><HEAD></HEAD><BODY><P>I think my problem was that I was using the ASDM top put in the rules.</P><P></P><P>Using the command line, I didn't have any issues.</P><P></P><P>Thanks for the guidance.</P></BODY></HTML> Fri, 02 Oct 2009 12:30:38 GMT https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263681#M857909 jsaumer2006 2009-10-02T12:30:38Z https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263682#M857911 <HTML><HEAD></HEAD><BODY><P>Jayson, glad worked out .. PLS rate helpful post if helped.</P><P></P><P>Regards</P><P></P></BODY></HTML> Fri, 02 Oct 2009 12:56:02 GMT https://community.cisco.com/t5/network-security/access-lists-with-tpc-udp-object-group/m-p/1263682#M857911 JORGE RODRIGUEZ 2009-10-02T12:56:02Z