cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1415
Views
10
Helpful
3
Replies

Allowing non contiguous ports on ASA 5520

Warren
Level 1
Level 1

Good day

 

I have a ASA 5520 and currently I have the following set up 

 

access-list OUTSIDE-INBOUND line 15 extended permit tcp any host 10.0.0.22 eq www 
access-list OUTSIDE-INBOUND line 16 extended permit tcp any host 10.0.0.22 eq https 
access-list OUTSIDE-INBOUND line 17 extended permit tcp any host 10.0.0.25 eq www 
access-list OUTSIDE-INBOUND line 18 extended permit tcp any host 10.0.0.25 eq https 
access-list OUTSIDE-INBOUND line 19 extended permit tcp any host 10.0.0.25 eq 8080 
access-list OUTSIDE-INBOUND line 20 extended permit tcp any host 10.0.0.27 eq www 
access-list OUTSIDE-INBOUND line 21 extended permit tcp any host 10.0.0.27 eq https 
access-list OUTSIDE-INBOUND line 22 extended permit tcp any host 10.0.0.27 eq 8080 
access-list OUTSIDE-INBOUND line 23 extended permit tcp any host 10.0.0 eq 8082

I was thinking I can create and object group for the IPs but how would I, lack for a better word, map the ports to them?  

 

objext-group web servers
network-object host 10.0.0.22
network-object host 10.0.0.25
network-object host 10.0.0.27

 

access-list OUTSIDE-INBOUND line 23 extended permit tcp any objext-group web servers ????

This is where I am stuck, can I just do eq www, https, 8080, 8082??

 

1 Accepted Solution

Accepted Solutions

Ben Walters
Level 3
Level 3

Like the object group for the servers you could also create a service groups for the services and reference it that way. 

 

object-group service <NAME> tcp

  port-object eq 8080
  port-object eq 8082
  port-object eq http
  port-object eq https

 

access-list OUTSIDE-INBOUND line 23 extended permit tcp any object-group web servers object-group <NAME>

 

 

View solution in original post

3 Replies 3

Ben Walters
Level 3
Level 3

Like the object group for the servers you could also create a service groups for the services and reference it that way. 

 

object-group service <NAME> tcp

  port-object eq 8080
  port-object eq 8082
  port-object eq http
  port-object eq https

 

access-list OUTSIDE-INBOUND line 23 extended permit tcp any object-group web servers object-group <NAME>

 

 

Thank you Ben that actually never crossed my mind I will try it out, thank you sir!!

Thank you sir I put this in over the weekend just like you specified and it worked!!

YEAH!!!!  So far no issues, I see the hit count increment so it looks like it works

thank you Ben for the help!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: