cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
0
Helpful
3
Replies

Firewall Rule Interpretation

ksarin123_2
Level 1
Level 1
Hello All,

Can someone please explain this rule configured in a Cisco ASA firewall? Apparently, this rule was written to allow Internet access to a CORP office.

access-list CORP-IN extended permit object-group Web-Ports object CORP-USER-NET any

object-group service Web-Ports
description Server access to internet ports
service-object tcp destination eq www
service-object tcp destination eq https

object network CORP-USER-NET
subnet 10.218.0.0 255.255.255.128
description CORP - User Network

Per my understanding, it should be configured as follows:

access-list CORP-IN extended permit object CORP-USER-NET any object-group Web-Ports.

To me, its almost configured backwards. But it's working, since users are able to get internet access. Can someone explain this?
2 Accepted Solutions

Accepted Solutions

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Since your object-group Web-Ports consists of service objects, the way it is configured seems to be correct. You can check the access-list by issuing "show access-list CORP-IN" command.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Hope this helps.

Regards,

NT

View solution in original post

In your case, you are not getting any advantage. The enhanced service object is used when you need to group multiple protocols and ports into one group.

Hope this helps.

Regards,

NT

View solution in original post

3 Replies 3

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Since your object-group Web-Ports consists of service objects, the way it is configured seems to be correct. You can check the access-list by issuing "show access-list CORP-IN" command.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Hope this helps.

Regards,

NT

So in this case, what benefit do I get from using enhanced service objects? Since I am only using port 80, 443 I could have used a protocol specific service object as indicated below, correct?

object-group service test tcp

port-object eq 80

port-object eq 443

So now I know the configuration I listed in my original post works, but again, am I really deriving any benefit from doing it that way? My guess is no. What do you think?

In your case, you are not getting any advantage. The enhanced service object is used when you need to group multiple protocols and ports into one group.

Hope this helps.

Regards,

NT

Review Cisco Networking for a $25 gift card