Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3192
Views
10
Helpful
2
Replies

Allowing access for multiple ports across ASA 5506, TCP and UDP

Go to solution
Pete Johnstone
Level 1
Level 1

‎08-31-2017 06:06 PM - edited ‎02-21-2020 06:15 AM

So I need to allow a server in the DMZ to talk to a domain controller on the internal network for authentication.  This requires allowing a bunch of protocols through the firewall, some googling I think has given me a comprehensize list.

 

That said, how do I enter the access-list rules on the firewall, it's an ASA 5506.  I know how to create a rule for a single port, and multiple ports if they're all TCP or UDP.  But the list of ports in some cases I'll need TCP/UDP for one port, and other cases only TCP and NOT UDP for a port, etc.

 

For example:

port 88 TCP/UDP

port 636 TCP only

port 464 TCP/UDP 

and so on

 

Or is the only way to do this with multiple access-list entries?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎09-04-2017 04:21 AM

Hi Pete,

 

You can create object group for services and mention the protocol which you want to allow. Then use this object group in the Access list. Example is given as below:

 

object-group service SERVICES
service-object tcp-udp destination eq 88
service-object tcp destination eq 636
service-object tcp-udp destination eq 464
!
object-group DMZ_SERVER
network-object host <IP of DMZ server>
!
object-group DOMAIN_CONTROLLER
network-object host <IP of Domain Controller>
!
access-list DMZ_ACCESS_IN extended permit object-group SERVICES object-group DMZ_SERVER object-group DOMAIN_CONTROLLER

 

If this was helpful, please give it a thumbs up

Spooster IT Services Team

View solution in original post

2 Replies 2

Go to solution
Flavio Miranda
VIP
VIP

‎08-31-2017 06:47 PM

You dont.

 Always work with object-group when you have list of port or IP address.

object-group service "name" tcp-udp

port-object eq port1

port-object eq port2

port-object eq portn

port-object range portx porty

 

Then, apply this object-group on your rule.

 

 

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7

‎09-04-2017 04:21 AM

Hi Pete,

 

You can create object group for services and mention the protocol which you want to allow. Then use this object group in the Access list. Example is given as below:

 

object-group service SERVICES
service-object tcp-udp destination eq 88
service-object tcp destination eq 636
service-object tcp-udp destination eq 464
!
object-group DMZ_SERVER
network-object host <IP of DMZ server>
!
object-group DOMAIN_CONTROLLER
network-object host <IP of Domain Controller>
!
access-list DMZ_ACCESS_IN extended permit object-group SERVICES object-group DMZ_SERVER object-group DOMAIN_CONTROLLER

 

If this was helpful, please give it a thumbs up

Spooster IT Services Team
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card