https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825740#M974348 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Even though you have both TCP and UDP Port Range defined in the Ojbject-Group called Oracle_forms, the Access-list "outside_cryptomap_1" is permitting only TCP which is OK as far as you want to permit only TCP. </P><P></P><P>If you want to permit only UDP, then the access-list entry for "outside_cryptomap_1" should be "access-list outside_cryptomap_1 permit udp object-group Sever_Access object-group Server_VPN object-group Oracle_forms"</P><P></P><P>If you want to permit both TCP and UDP, then you need two access-list. </P><P></P><P>access-list outside_cryptomap_1 permit tcp object-group Sever_Access object-group Server_VPN object-group Oracle_forms </P><P></P><P>access-list outside_cryptomap_1 permit udp object-group Sever_Access object-group Server_VPN object-group Oracle_forms </P><P></P><P>The idea behind service object group with option tcp-udp in object-group command is</P><P>that we don't need to specify object-group command separately for tcp and udp. Its just to avoid duplication of effort. If we don't use tcp-udp we need to specify 2 service object groups one for tcp and one for udp. </P><P></P><P>For example,</P><P></P><P>object-group service TCP-PORTS tcp</P><P> port-object range 9000 9010</P><P></P><P>object-group service UDP-PORTS udp</P><P> port-object range 9000 9010</P><P></P><P>I hope it helps.</P><P></P><P>Regards,</P><P>Arul</P><P></P><P>** Please rate all helpful posts **</P></BODY></HTML> Wed, 26 Sep 2007 14:09:59 GMT ajagadee 2007-09-26T14:09:59Z https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825739#M974343 <P>Hi</P><P></P><P>I have a number of object groups set-up on a PIX and I have a question regarding the access-list syntax</P><P></P><P>object-group service Oracle_forms tcp-udp</P><P> description Oracle Forms Ports</P><P> port-object range 9000 9010</P><P></P><P></P><P>access-list outside_cryptomap_1 permit tcp object-group Sever_Access object-group Server_VPN object-group Oracle_forms </P><P></P><P>The other object-groups are defined bu where the service group details a range of ports which may be TCP and or UDP should the access list reflect that is permit TCP correct given that the object-service group contains both UDP TCP ports?</P><P></P><P>Thanks </P> Mon, 11 Mar 2019 11:17:11 GMT https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825739#M974343 Communications 2019-03-11T11:17:11Z https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825740#M974348 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Even though you have both TCP and UDP Port Range defined in the Ojbject-Group called Oracle_forms, the Access-list "outside_cryptomap_1" is permitting only TCP which is OK as far as you want to permit only TCP. </P><P></P><P>If you want to permit only UDP, then the access-list entry for "outside_cryptomap_1" should be "access-list outside_cryptomap_1 permit udp object-group Sever_Access object-group Server_VPN object-group Oracle_forms"</P><P></P><P>If you want to permit both TCP and UDP, then you need two access-list. </P><P></P><P>access-list outside_cryptomap_1 permit tcp object-group Sever_Access object-group Server_VPN object-group Oracle_forms </P><P></P><P>access-list outside_cryptomap_1 permit udp object-group Sever_Access object-group Server_VPN object-group Oracle_forms </P><P></P><P>The idea behind service object group with option tcp-udp in object-group command is</P><P>that we don't need to specify object-group command separately for tcp and udp. Its just to avoid duplication of effort. If we don't use tcp-udp we need to specify 2 service object groups one for tcp and one for udp. </P><P></P><P>For example,</P><P></P><P>object-group service TCP-PORTS tcp</P><P> port-object range 9000 9010</P><P></P><P>object-group service UDP-PORTS udp</P><P> port-object range 9000 9010</P><P></P><P>I hope it helps.</P><P></P><P>Regards,</P><P>Arul</P><P></P><P>** Please rate all helpful posts **</P></BODY></HTML> Wed, 26 Sep 2007 14:09:59 GMT https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825740#M974348 ajagadee 2007-09-26T14:09:59Z https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825741#M974349 <HTML><HEAD></HEAD><BODY><P>Hi Arul</P><P></P><P>Thanks you confirmed my thoughts not having used this feature before.</P><P></P><P>Regards Mike</P><P></P></BODY></HTML> Thu, 27 Sep 2007 05:25:51 GMT https://community.cisco.com/t5/network-security/syntax-for-access-list-object-group-tcp-udp/m-p/825741#M974349 Communications 2007-09-27T05:25:51Z