08-30-2012 02:35 AM - edited 03-11-2019 04:47 PM
I tried to add an access-list in ADSM, with source any and destination any, and services tcp/http and udp/dns.
However I got this error message "service cannot contain services of different types".
Is grouping tcp and udp services in the same access-list entry not supported?
I just cannot find such information in any cisco documents.
Many thanks.
08-30-2012 06:38 AM
Yes you can...
Here is an example:
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq cifs
service-object udp destination eq domain
access-list inside_access_in line 13 extended permit object-group DM_INLINE_SERVICE_1 any any
08-30-2012 07:01 AM
Thanks for your reply Jennifer.
DId you create this rule by using CLI or ADSM? Please try editing this rule in ADSM, like adding a comment, to see if you hit the error message.
BTW, what version are you using? I am running version 8.4.3
08-30-2012 07:15 AM
I use ASDM 6.4, and the ASA is 8.4.2.
I tried to add comment and didn't see the error that you've seen.
Did you only see the error when you try to edit the existing access-list?
Also, have you tried with CLI and do you get the same error? just trying to see if it's an ASDM bug or ASA bug.
08-30-2012 07:50 AM
I tried two cases
I created the rule using ADSM but failed
Then I created it using cli without any problem. I further edit it and result in error message
08-30-2012 09:34 AM
Hello Y.lo
I tried using the ASDM and it worked just fine
I am running ASDM 6.4.5.
Add access-list, source any destination any and on service set:
tcp/cifs,udp/53
And that's it.
Let me know how it goes.
Julio
09-02-2012 11:09 PM
I tried configuring this access list on a factory default configuration and it was fine. It just cannot be done on customer configuration. I will create a TAC case to troubleshoot it. Thanks a lot.
09-03-2012 09:16 AM
Hello Y.lo,
Sure, keep us posted and provide us what TAC tells you so we can understand what is going on and mark the question as answered.
Regards,
Julio
09-03-2012 06:51 PM
It turns out that there is a service object group named "domain" configured by customer. So this mixes up with the default udp service "domain". The problem is fixed by deleting the object group.
09-03-2012 07:08 PM
Great finding and thanks for the update.
04-12-2015 05:52 PM
I know this is an old post, not sure if it is till active. I am having the same problem. I can not add two service groups of different protocols to a service. I am getting "Service cannot contain services of different types".
I am running ASDM 6.4.9 and ASA 8.4.3.
It seems to work fine when I add different protocol ports individually, just not when I add groups.
04-15-2015 01:39 AM
Hi ,
I don't see any issue in lab. Can you post the relevant configuration and the error ?
Thanks and Regards,
Vibhor Amrodia
04-15-2015 05:14 AM
Thank you for your reply. The error happens when I try to add Service Groups of multiple protocols to an access list.
It works fine when I add ports of different protocols. (See capture1.png)
I would like to make these ports Service Groups that are easier to read and manage. (See capture2.png)
When I try to replace the individual ports with the new service groups I receive the error in capture3.png
06-22-2016 12:36 PM
I'm having the same issue,
Can anybody put an update here?
I'm running ASA 9.5(2)
ASDM 7.6(1)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide