https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975257#M918241 <P>Hi</P><P></P><P>I use a Cisco ASDM 5.2F for ASDM.</P><P>There is the possibility of defining TCP-UDP Service Groups. What's the use of this? I've tried it out and failed. Whenever you create an access rule you have to define either whether it's TCP or UDP (or IP, or ICMP). If you define an access rule for TCP then the UDP protocols won't work and vice versa. </P><P>I've successfully been using TCP-UDP-Groups on Checkpoint Firewalls, but in Cisco ASDM it seems futile. </P> Tue, 26 Mar 2019 00:40:17 GMT Beat.Traber 2019-03-26T00:40:17Z https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975257#M918241 <P>Hi</P><P></P><P>I use a Cisco ASDM 5.2F for ASDM.</P><P>There is the possibility of defining TCP-UDP Service Groups. What's the use of this? I've tried it out and failed. Whenever you create an access rule you have to define either whether it's TCP or UDP (or IP, or ICMP). If you define an access rule for TCP then the UDP protocols won't work and vice versa. </P><P>I've successfully been using TCP-UDP-Groups on Checkpoint Firewalls, but in Cisco ASDM it seems futile. </P> Tue, 26 Mar 2019 00:40:17 GMT https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975257#M918241 Beat.Traber 2019-03-26T00:40:17Z https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975258#M918242 <HTML><HEAD></HEAD><BODY><P>This feature was introduced 'in parity' of Checkpoint only, as per the ASA 8.0 TAC training.</P><P></P><P>I'm not really that good with ASDM, but here is how you can configure them on the CLI (and no there are not futile, pretty useful actually):</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv</A></P><P></P><P>Note: Enhanced service object-groups were introduced with the release of software version 8.0. Enhanced service object-groups enable the ASA/PIX to combine IP protocols together in the same service group, which eliminates the need for protocol and icmp-type specific object groups. The protocol type must not be specified in order to configure an enhanced service object-group</P><P></P><P>Btw are you using an ASA or a FWSM? Is'nt ASDM 5.2F supposed to be for the FWSM?</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P></BODY></HTML> Tue, 17 Jun 2008 09:37:48 GMT https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975258#M918242 Farrukh Haroon 2008-06-17T09:37:48Z https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975259#M918243 <HTML><HEAD></HEAD><BODY><P>Thanks a lot, and yes, of course I'm using ASDM on top of a FWSM.</P><P>I'll try and configure it on the CLI.</P></BODY></HTML> Tue, 17 Jun 2008 09:44:58 GMT https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975259#M918243 Beat.Traber 2008-06-17T09:44:58Z https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975260#M918244 <HTML><HEAD></HEAD><BODY><P>I'm sorry I did not read your post carefully the first time. I don't think the feature mentioned in the link is supported on the FWSM.</P><P></P><P>Regard what you are trying to achive, this is from one of my earlier posts:</P><P></P><P>When you define the object-group using both the tcp-udp keyword, there is no real security issue here. Because service type object-group is just defining the ports, you would still need two seperate ACLs here, for example: </P><P></P><P>access-list 100 permit tcp any host 5.5.5.5 object-group ntp</P><P>access-list 100 permit udp any host 5.5.5.5 object-group ntp</P><P></P><P>Of course you could make a separate protocol object-group to combine both tcp and udp into one (I do this at work), for example</P><P></P><P>object-group protocol TCP-UDP</P><P>protocol-object udp</P><P>protocol-object tcp</P><P></P><P>This would make above ACL like this:</P><P></P><P>access-list 100 permit object-group tcp-udp any host 5.5.5.5 object-group ntp</P><P></P><P>HTH</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 17 Jun 2008 10:32:34 GMT https://community.cisco.com/t5/network-security/use-of-tcp-udp-service-groups-in-asdm/m-p/975260#M918244 Farrukh Haroon 2008-06-17T10:32:34Z