Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
0
Helpful
3
Replies

Firewall Rule Interpretation

Go to solution
ksarin123_2
Level 1
Level 1

‎01-18-2011 12:25 PM - edited ‎03-11-2019 12:36 PM

Hello All,

Can someone please explain this rule configured in a Cisco ASA firewall? Apparently, this rule was written to allow Internet access to a CORP office.

access-list CORP-IN extended permit object-group Web-Ports object CORP-USER-NET any

object-group service Web-Ports
description Server access to internet ports
service-object tcp destination eq www
service-object tcp destination eq https

object network CORP-USER-NET
subnet 10.218.0.0 255.255.255.128
description CORP - User Network

Per my understanding, it should be configured as follows:

access-list CORP-IN extended permit object CORP-USER-NET any object-group Web-Ports.

To me, its almost configured backwards. But it's working, since users are able to get internet access. Can someone explain this?
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎01-18-2011 12:36 PM

Hello,

Since your object-group Web-Ports consists of service objects, the way it is configured seems to be correct. You can check the access-list by issuing "show access-list CORP-IN" command.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ksarin123_2

‎01-18-2011 01:09 PM

In your case, you are not getting any advantage. The enhanced service object is used when you need to group multiple protocols and ports into one group.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎01-18-2011 12:36 PM

Hello,

Since your object-group Web-Ports consists of service objects, the way it is configured seems to be correct. You can check the access-list by issuing "show access-list CORP-IN" command.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
ksarin123_2
Level 1
Level 1
In response to Nagaraja Thanthry

‎01-18-2011 01:07 PM

So in this case, what benefit do I get from using enhanced service objects? Since I am only using port 80, 443 I could have used a protocol specific service object as indicated below, correct?

object-group service test tcp

port-object eq 80

port-object eq 443

So now I know the configuration I listed in my original post works, but again, am I really deriving any benefit from doing it that way? My guess is no. What do you think?

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ksarin123_2

‎01-18-2011 01:09 PM

In your case, you are not getting any advantage. The enhanced service object is used when you need to group multiple protocols and ports into one group.

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card