Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4273
Views
10
Helpful
2
Replies

Allowing access for multiple ports across ASA 5506, TCP and UDP

Go to solution
Pete Johnstone
Level 1
Level 1

‎08-31-2017 06:06 PM - edited ‎02-21-2020 06:15 AM

So I need to allow a server in the DMZ to talk to a domain controller on the internal network for authentication.  This requires allowing a bunch of protocols through the firewall, some googling I think has given me a comprehensize list.

 

That said, how do I enter the access-list rules on the firewall, it's an ASA 5506.  I know how to create a rule for a single port, and multiple ports if they're all TCP or UDP.  But the list of ports in some cases I'll need TCP/UDP for one port, and other cases only TCP and NOT UDP for a port, etc.

 

For example:

port 88 TCP/UDP

port 636 TCP only

port 464 TCP/UDP 

and so on

 

Or is the only way to do this with multiple access-list entries?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎09-04-2017 04:21 AM

Hi Pete,

 

You can create object group for services and mention the protocol which you want to allow. Then use this object group in the Access list. Example is given as below:

 

object-group service SERVICES
service-object tcp-udp destination eq 88
service-object tcp destination eq 636
service-object tcp-udp destination eq 464
!
object-group DMZ_SERVER
network-object host <IP of DMZ server>
!
object-group DOMAIN_CONTROLLER
network-object host <IP of Domain Controller>
!
access-list DMZ_ACCESS_IN extended permit object-group SERVICES object-group DMZ_SERVER object-group DOMAIN_CONTROLLER

 

If this was helpful, please give it a thumbs up

Spooster IT Services Team

View solution in original post

2 Replies 2

Go to solution
Flavio Miranda
VIP
VIP

‎08-31-2017 06:47 PM

You dont.

 Always work with object-group when you have list of port or IP address.

object-group service "name" tcp-udp

port-object eq port1

port-object eq port2

port-object eq portn

port-object range portx porty

 

Then, apply this object-group on your rule.

 

 

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7

‎09-04-2017 04:21 AM

Hi Pete,

 

You can create object group for services and mention the protocol which you want to allow. Then use this object group in the Access list. Example is given as below:

 

object-group service SERVICES
service-object tcp-udp destination eq 88
service-object tcp destination eq 636
service-object tcp-udp destination eq 464
!
object-group DMZ_SERVER
network-object host <IP of DMZ server>
!
object-group DOMAIN_CONTROLLER
network-object host <IP of Domain Controller>
!
access-list DMZ_ACCESS_IN extended permit object-group SERVICES object-group DMZ_SERVER object-group DOMAIN_CONTROLLER

 

If this was helpful, please give it a thumbs up

Spooster IT Services Team
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card