08-30-2012 02:35 AM - edited 03-11-2019 04:47 PM
I tried to add an access-list in ADSM, with source any and destination any, and services tcp/http and udp/dns.
However I got this error message "service cannot contain services of different types".
Is grouping tcp and udp services in the same access-list entry not supported?
I just cannot find such information in any cisco documents.
Many thanks.
08-30-2012 06:38 AM
Yes you can...
Here is an example:
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq cifs
service-object udp destination eq domain
access-list inside_access_in line 13 extended permit object-group DM_INLINE_SERVICE_1 any any
08-30-2012 07:01 AM
Thanks for your reply Jennifer.
DId you create this rule by using CLI or ADSM? Please try editing this rule in ADSM, like adding a comment, to see if you hit the error message.
BTW, what version are you using? I am running version 8.4.3
08-30-2012 07:15 AM
I use ASDM 6.4, and the ASA is 8.4.2.
I tried to add comment and didn't see the error that you've seen.
Did you only see the error when you try to edit the existing access-list?
Also, have you tried with CLI and do you get the same error? just trying to see if it's an ASDM bug or ASA bug.
08-30-2012 07:50 AM
I tried two cases
I created the rule using ADSM but failed
Then I created it using cli without any problem. I further edit it and result in error message
08-30-2012 09:34 AM
Hello Y.lo
I tried using the ASDM and it worked just fine
I am running ASDM 6.4.5.
Add access-list, source any destination any and on service set:
tcp/cifs,udp/53
And that's it.
Let me know how it goes.
Julio
09-02-2012 11:09 PM
I tried configuring this access list on a factory default configuration and it was fine. It just cannot be done on customer configuration. I will create a TAC case to troubleshoot it. Thanks a lot.
09-03-2012 09:16 AM
Hello Y.lo,
Sure, keep us posted and provide us what TAC tells you so we can understand what is going on and mark the question as answered.
Regards,
Julio
09-03-2012 06:51 PM
It turns out that there is a service object group named "domain" configured by customer. So this mixes up with the default udp service "domain". The problem is fixed by deleting the object group.
09-03-2012 07:08 PM
Great finding and thanks for the update.
04-12-2015 05:52 PM
I know this is an old post, not sure if it is till active. I am having the same problem. I can not add two service groups of different protocols to a service. I am getting "Service cannot contain services of different types".
I am running ASDM 6.4.9 and ASA 8.4.3.
It seems to work fine when I add different protocol ports individually, just not when I add groups.
04-15-2015 01:39 AM
Hi ,
I don't see any issue in lab. Can you post the relevant configuration and the error ?
Thanks and Regards,
Vibhor Amrodia
04-15-2015 05:14 AM
Thank you for your reply. The error happens when I try to add Service Groups of multiple protocols to an access list.
It works fine when I add ports of different protocols. (See capture1.png)
I would like to make these ports Service Groups that are easier to read and manage. (See capture2.png)
When I try to replace the individual ports with the new service groups I receive the error in capture3.png
06-22-2016 12:36 PM
I'm having the same issue,
Can anybody put an update here?
I'm running ASA 9.5(2)
ASDM 7.6(1)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: