Solved: ACL using service-object vs. port-object

Ritter Rs · ‎05-14-2016

Hi, I have some misunderstanding with ACL using service-object and port-object.
Device is Cisco ASA ASA5510 Software Version 8.2(5).

1 ACL using service-object
access-list PAT-all extended permit object-group Site-LAN-serObj-tcp object-group Site-LAN any

object-group service Site-LAN-serObj-tcp
service-object tcp eq ssh
service-object tcp eq 3690

sh access-list
...
access-list PAT-all line 7 extended permit object-group Site-LAN-serObj-tcp object-group Site-LAN any 0x86266726
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq ssh (hitcnt=0) 0x1cda44f6
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 3690 (hitcnt=0) 0x5e3f9947
.
.
.

2 ACL using port-object
access-list PAT-all extended permit tcp object-group Site-LAN any object-group Site-LAN-portObj-tcp

object-group service Site-LAN-portObj-tcp tcp
port-object eq ssh
port-object eq 3690

sh access-list
...
access-list PAT-all line 5 extended permit tcp object-group Site-LAN any object-group Site-LAN-portObj-tcp 0xac4dsdf
access-list PAT-all line 5 extended permit tcp 10.55.0.0 255.255.0.0 any eq ssh (hitcnt=0) 0x1cwcrcf6
access-list PAT-all line 5 extended permit tcp 10.55.0.0 255.255.0.0 any eq 3690 (hitcnt=0) 0x5g5efg607
.
.
.

This two access-list should do same thing, but one (with service-object) is wrong. Could someone explain why, please?

Thank you.

Henrik Grankvist · ‎05-15-2016

Hi

The syntax is different because you don't specify "tcp" at the end of the service object-group:

object-group service Site-LAN-serObj-tcp
 service-object tcp eq ssh
 service-object tcp eq 3690

object-group service Site-LAN-portObj-tcp tcp
 port-object eq ssh
 port-object eq 3690

What happends when you run packet tracer on the two different ACLs?

packet-tracer input tcp 10.55.5.5 12345 8.8.8.8 82 detail

View solution in original post

Paul Chapman · ‎05-16-2016

Hi -

Yes. You found the problem alright. Actually SMTP is on TCP/25. The rule states all other ports are allowed. Since it is the last entry, it will match on all non-SMTP traffic and the ASA will stop rule processing.

If you post to the forums in the future, please include more complete configurations for the members to review.

Good Luck!

PSC

View solution in original post

Paul Chapman · ‎05-14-2016

Hi -

How are you testing this ACL?

From what I see the 2 ACL entries do exactly the same thing. In this case ACL order would cause a precedence of line 5 over line 7, so line 7 will never get a match.

PSC

Ritter Rs · ‎05-14-2016

I didn't use both ACLs at the same time, it is just copy.

ACL with service-object was used first. I found that use of this ACL is wrong.

So, I am looking to figure out why first ACL is wrong?

Paul Chapman · ‎05-14-2016

Hi -

Honestly I don't see a problem with it. As shown in your original question, "show access-list" shows the exact same ACEs in the ACL.

Where is this ACL being used? (Access-Group, Crypto Map, VPN Filter, etc...)

PSC

Ritter Rs · ‎05-14-2016

It was used on ASA FW, for inside lan, to permit inside hosts to reach outside networks.

I have tried with ACL using service-object to define ports that are allowed:
- as you can see syntax is somehow different than usual
acl acl-name object-group service-group-name object-group network-group-name any

But it did not work, it was allowed access on non-listed ports, after I have switched from service-object
to port-object i didn't have access to ports that are not listed in the ACL.

This is entire ACL:

access-list PAT-all line 7 extended permit object-group Site-LAN-serObj-tcp object-group Site-LAN any
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq ssh (hitcnt=0) 0x1cda0cf6
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 3690 (hitcnt=0) 0x5e3f6607
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 2401 (hitcnt=0) 0x8ff4d66f
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq https (hitcnt=0) 0x6128371d
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 9418 (hitcnt=0) 0x1d56c202
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 873 (hitcnt=0) 0x1dd68fc8
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq www (hitcnt=0) 0x0c554949
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq ftp (hitcnt=0) 0xfab58087
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq rtsp (hitcnt=0) 0x81c0aca8
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 1755 (hitcnt=0) 0x39f04fcc
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 7999 (hitcnt=0) 0x075f88f8
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq sip (hitcnt=0) 0xba32cf2c
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 3000 (hitcnt=0) 0x6f781a3a
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 8443 (hitcnt=0) 0xa5cee280
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 5062 (hitcnt=0) 0x89a82da4
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 29418 (hitcnt=0) 0xa0393f09
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 3389 (hitcnt=0) 0x409bd1dd
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 10000 (hitcnt=0) 0x73039ac8
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any eq 9443 (hitcnt=0) 0x37672c98
access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any neq smtp (hitcnt=0) 0x6f599db4

And I was able to access on one remote host with port 82, but i should not!?!

Henrik Grankvist · ‎05-15-2016

Hi

The syntax is different because you don't specify "tcp" at the end of the service object-group:

object-group service Site-LAN-serObj-tcp
 service-object tcp eq ssh
 service-object tcp eq 3690

object-group service Site-LAN-portObj-tcp tcp
 port-object eq ssh
 port-object eq 3690

What happends when you run packet tracer on the two different ACLs?

packet-tracer input tcp 10.55.5.5 12345 8.8.8.8 82 detail

Ritter Rs · ‎05-16-2016

I think that I found mistake in the first ACL,

access-list PAT-all line 7 extended permit tcp 10.55.0.0 255.255.0.0 any neq smtp

This line open all tcp ports including 82, (except smtp)?

Paul Chapman · ‎05-16-2016

Hi -

Yes. You found the problem alright. Actually SMTP is on TCP/25. The rule states all other ports are allowed. Since it is the last entry, it will match on all non-SMTP traffic and the ASA will stop rule processing.

If you post to the forums in the future, please include more complete configurations for the members to review.

Good Luck!

PSC

Ritter Rs · ‎05-16-2016

Ok. Sorry and thank you.