Dear Mohammed,

Mohammed Yusuf · ‎11-28-2016

Hi,

I am working on an access list and I have created an object group for IP addresses and an object group for Service. The access list require TCP and UDP ports open. I could write an access list seprate for tcp and upd for example

access-list acl-inside extended permit tcp object obj_network object-group destination-ips object-group tcp-port

access-list acl-inside extended permit udp object obj_network object-group destination-ips object-group udp-port

I thought about making it more easy and creating a

object-group service destination-port tcp-udp

port-object eq 123
port-object eq 5080
port-object eq 5222
port-object eq 8011
port-object eq www
port-object eq 443
port-object eq 389
port-object eq sip
port-object eq domain
port-object range 10000 60000

but I am stuggling to write an access list on asa 5505 9.3 for example

I could not find how I could squeez in one access list rather than two access list.

Is there any other way I could write it?

Thanks,

Vincent P · ‎11-28-2016

Dear Mohammed,

Indeed, you can create a service group and use tcp-udp keyword if your service uses both TCP and UDP with the same port number, for example, DNS (port53).

object-group service DNS tcp-udp

port-object eq 123

This will avoid you to have duplicate service groups:

object-group service DNS tcp

port-object eq 123

object-group service DNS udp

port-object eq 123

But even with the udp-tcp service group, you will have to create two separate acls entries, one for tcp and one for udp.

Regards,

Vincent

Cisco ASA 5505 Access List