cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


240
Views
10
Helpful
3
Replies
Beginner

Allowing non contiguous ports on ASA 5520

Good day

 

I have a ASA 5520 and currently I have the following set up 

 

access-list OUTSIDE-INBOUND line 15 extended permit tcp any host 10.0.0.22 eq www 
access-list OUTSIDE-INBOUND line 16 extended permit tcp any host 10.0.0.22 eq https 
access-list OUTSIDE-INBOUND line 17 extended permit tcp any host 10.0.0.25 eq www 
access-list OUTSIDE-INBOUND line 18 extended permit tcp any host 10.0.0.25 eq https 
access-list OUTSIDE-INBOUND line 19 extended permit tcp any host 10.0.0.25 eq 8080 
access-list OUTSIDE-INBOUND line 20 extended permit tcp any host 10.0.0.27 eq www 
access-list OUTSIDE-INBOUND line 21 extended permit tcp any host 10.0.0.27 eq https 
access-list OUTSIDE-INBOUND line 22 extended permit tcp any host 10.0.0.27 eq 8080 
access-list OUTSIDE-INBOUND line 23 extended permit tcp any host 10.0.0 eq 8082

I was thinking I can create and object group for the IPs but how would I, lack for a better word, map the ports to them?  

 

objext-group web servers
network-object host 10.0.0.22
network-object host 10.0.0.25
network-object host 10.0.0.27

 

access-list OUTSIDE-INBOUND line 23 extended permit tcp any objext-group web servers ????

This is where I am stuck, can I just do eq www, https, 8080, 8082??

 

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Re: Allowing non contiguous ports on ASA 5520

Like the object group for the servers you could also create a service groups for the services and reference it that way. 

 

object-group service <NAME> tcp

  port-object eq 8080
  port-object eq 8082
  port-object eq http
  port-object eq https

 

access-list OUTSIDE-INBOUND line 23 extended permit tcp any object-group web servers object-group <NAME>

 

 

3 REPLIES 3
Participant

Re: Allowing non contiguous ports on ASA 5520

Like the object group for the servers you could also create a service groups for the services and reference it that way. 

 

object-group service <NAME> tcp

  port-object eq 8080
  port-object eq 8082
  port-object eq http
  port-object eq https

 

access-list OUTSIDE-INBOUND line 23 extended permit tcp any object-group web servers object-group <NAME>

 

 

Beginner

Re: Allowing non contiguous ports on ASA 5520

Thank you Ben that actually never crossed my mind I will try it out, thank you sir!!

Beginner

Re: Allowing non contiguous ports on ASA 5520

Thank you sir I put this in over the weekend just like you specified and it worked!!

YEAH!!!!  So far no issues, I see the hit count increment so it looks like it works

thank you Ben for the help!!!!