I tried to add an access-list in ADSM, with source any and destination any, and services tcp/http and udp/dns.
However I got this error message "service cannot contain services of different types".
Is grouping tcp and udp services in the same access-list entry not supported?
I just cannot find such information in any cisco documents.
Yes you can...
Here is an example:
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq cifs
service-object udp destination eq domain
access-list inside_access_in line 13 extended permit object-group DM_INLINE_SERVICE_1 any any
Thanks for your reply Jennifer.
DId you create this rule by using CLI or ADSM? Please try editing this rule in ADSM, like adding a comment, to see if you hit the error message.
BTW, what version are you using? I am running version 8.4.3
I use ASDM 6.4, and the ASA is 8.4.2.
I tried to add comment and didn't see the error that you've seen.
Did you only see the error when you try to edit the existing access-list?
Also, have you tried with CLI and do you get the same error? just trying to see if it's an ASDM bug or ASA bug.
I tried two cases
I created the rule using ADSM but failed
Then I created it using cli without any problem. I further edit it and result in error message
I tried using the ASDM and it worked just fine
I am running ASDM 6.4.5.
Add access-list, source any destination any and on service set:
And that's it.
Let me know how it goes.
I tried configuring this access list on a factory default configuration and it was fine. It just cannot be done on customer configuration. I will create a TAC case to troubleshoot it. Thanks a lot.
Sure, keep us posted and provide us what TAC tells you so we can understand what is going on and mark the question as answered.
It turns out that there is a service object group named "domain" configured by customer. So this mixes up with the default udp service "domain". The problem is fixed by deleting the object group.
I know this is an old post, not sure if it is till active. I am having the same problem. I can not add two service groups of different protocols to a service. I am getting "Service cannot contain services of different types".
I am running ASDM 6.4.9 and ASA 8.4.3.
It seems to work fine when I add different protocol ports individually, just not when I add groups.
Thank you for your reply. The error happens when I try to add Service Groups of multiple protocols to an access list.
It works fine when I add ports of different protocols. (See capture1.png)
I would like to make these ports Service Groups that are easier to read and manage. (See capture2.png)
When I try to replace the individual ports with the new service groups I receive the error in capture3.png