Add access-list through ADSM 6.4 with different service types

y.lo · ‎08-30-2012

I tried to add an access-list in ADSM, with source any and destination any, and services tcp/http and udp/dns.

However I got this error message "service cannot contain services of different types".

Is grouping tcp and udp services in the same access-list entry not supported?

I just cannot find such information in any cisco documents.

Many thanks.

Jennifer Halim · ‎08-30-2012

Yes you can...

Here is an example:

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq cifs

service-object udp destination eq domain

access-list inside_access_in line 13 extended permit object-group DM_INLINE_SERVICE_1 any any

y.lo · ‎08-30-2012

Thanks for your reply Jennifer.

DId you create this rule by using CLI or ADSM? Please try editing this rule in ADSM, like adding a comment, to see if you hit the error message.

BTW, what version are you using? I am running version 8.4.3

Jennifer Halim · ‎08-30-2012

I use ASDM 6.4, and the ASA is 8.4.2.

I tried to add comment and didn't see the error that you've seen.

Did you only see the error when you try to edit the existing access-list?

Also, have you tried with CLI and do you get the same error? just trying to see if it's an ASDM bug or ASA bug.

y.lo · ‎08-30-2012

I tried two cases

I created the rule using ADSM but failed

Then I created it using cli without any problem. I further edit it and result in error message

Julio Carvajal · ‎08-30-2012

Hello Y.lo

I tried using the ASDM and it worked just fine

I am running ASDM 6.4.5.

Add access-list, source any destination any and on service set:

tcp/cifs,udp/53

And that's it.

Let me know how it goes.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

y.lo · ‎09-02-2012

I tried configuring this access list on a factory default configuration and it was fine. It just cannot be done on customer configuration. I will create a TAC case to troubleshoot it. Thanks a lot.

Julio Carvajal · ‎09-03-2012

Hello Y.lo,

Sure, keep us posted and provide us what TAC tells you so we can understand what is going on and mark the question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

y.lo · ‎09-03-2012

It turns out that there is a service object group named "domain" configured by customer. So this mixes up with the default udp service "domain". The problem is fixed by deleting the object group.

Jennifer Halim · ‎09-03-2012

Great finding and thanks for the update.

Jeff Poblocki · ‎04-12-2015

I know this is an old post, not sure if it is till active. I am having the same problem. I can not add two service groups of different protocols to a service. I am getting "Service cannot contain services of different types".

I am running ASDM 6.4.9 and ASA 8.4.3.

It seems to work fine when I add different protocol ports individually, just not when I add groups.

Vibhor Amrodia · ‎04-15-2015

Hi ,

I don't see any issue in lab. Can you post the relevant configuration and the error ?

Thanks and Regards,

Vibhor Amrodia

Jeff Poblocki · ‎04-15-2015

Thank you for your reply. The error happens when I try to add Service Groups of multiple protocols to an access list.

It works fine when I add ports of different protocols. (See capture1.png)

I would like to make these ports Service Groups that are easier to read and manage. (See capture2.png)

When I try to replace the individual ports with the new service groups I receive the error in capture3.png

mgholami1 · ‎06-22-2016

I'm having the same issue,

Can anybody put an update here?

I'm running ASA 9.5(2)

ASDM 7.6(1)