Under vanilla IOS, is it possible to use both TCP flags (established, syn, rst, etc.) and service object groups?
For example, I can create an ACL that only allows return traffic from established Telnet and SSH connections:
ip access-list extended DEMO-TCP
permit tcp host 1.1.1.1 eq 22 host 2.2.2.2 established
permit tcp host 1.1.1.1 eq 23 host 2.2.2.2 established
And I can create a single object group for the two TCP protocols to reduce the ACL into one line:
object-group service TCP-PORTS
tcp source 22
tcp source 23
ip access-list extended DEMO-TCP
permit object-group TCP-PORTS host 1.1.1.1 host 2.2.2.2
But when I use a service object-group in an ACL I lose the TCP flag options at the end:
LABB-RA1(config-ext-nacl)#$ect-group TCP-PORTS host 1.1.1.1 host 2.2.2.2 ?
dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
<cr> <cr>