Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9629
Views
0
Helpful
2
Replies

Implementing "object-group service"

Go to solution
Tyler Woods
Level 1
Level 1

‎02-03-2014 03:04 PM - edited ‎03-11-2019 08:39 PM

Running 8.2(3) on an ASA 5510

I have created the two following object groups.

object-group service gatewayTCP tcp

port-object eq 88

port-object eq 135

port-object eq 445

port-object eq ldaps

port-object eq 3268

port-object eq 3269

object-group service gatewayTCP-UDP tcp-udp

port-object eq domain

port-object eq 389

port-object eq 464

port-object range 49152 65535

I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly?

access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP

access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP

Is this a bug with service object groups? Is there some place I need to enable this feature?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2014 03:19 PM

Hi,

Have you tried configuring it like this

object-group service GATEWAY-SERVICES

service-object tcp eq 88

service-object tcp eq 135

service-object tcp eq 445

service-object tcp eq ldaps

service-object tcp eq 3268

service-object tcp eq 3269

service-object tcp eq 53

service-object udp eq 53

service-object tcp eq 389

service-object udp eq 389

service-object tcp eq 464

service-object udp eq 464

service-object tcp range 49152 65535

service-object udp eq 49152 65535

access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203

I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2014 03:19 PM

Hi,

Have you tried configuring it like this

object-group service GATEWAY-SERVICES

service-object tcp eq 88

service-object tcp eq 135

service-object tcp eq 445

service-object tcp eq ldaps

service-object tcp eq 3268

service-object tcp eq 3269

service-object tcp eq 53

service-object udp eq 53

service-object tcp eq 389

service-object udp eq 389

service-object tcp eq 464

service-object udp eq 464

service-object tcp range 49152 65535

service-object udp eq 49152 65535

access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203

I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)

- Jouni

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Jouni Forss

‎02-03-2014 03:24 PM

I did not. My ASA appears to be taking those commands without issue. Will give that a try and report back. Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card