02-19-2013 02:48 AM - edited 03-11-2019 06:02 PM
Allow Source 10.137.10.66 Destination 10.10.24.109 ports 1198,1199,5445,5455
How I can add above ports in access list ??
# access-list secure_access extended permit tcp object-group xxxx host xxxxx (ports??)
1. How I can create object group for multiple ports?
2. How if I don't create object group for multiple ports?
Thanks
Any PDF for how to add multiple ports and make groups in extended access list will be much appreciated :)
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
02-19-2013 03:27 AM
Hi,
If you for example wanted to group the above ports and the ports used were TCP then you could use the following configuration on an ASA firewall
object-group service SERVICES-TCP tcp
port-object range 1198 1199
port-object eq 5445
port-object eq 5455
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP
When we look at the above ACL rule with "show access-list TEST" command
ASA(config)# sh access-list TEST
access-list TEST; 3 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 range 1198 1199 (hitcnt=0)
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445 (hitcnt=0) 0x81df9a21
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455 (hitcnt=0) 0x08e8f13d
Optionally without using any object-groups then you would have to simply write every line
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1198
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1199
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455
- Jouni
02-19-2013 03:27 AM
Hi,
If you for example wanted to group the above ports and the ports used were TCP then you could use the following configuration on an ASA firewall
object-group service SERVICES-TCP tcp
port-object range 1198 1199
port-object eq 5445
port-object eq 5455
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP
When we look at the above ACL rule with "show access-list TEST" command
ASA(config)# sh access-list TEST
access-list TEST; 3 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 range 1198 1199 (hitcnt=0)
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445 (hitcnt=0) 0x81df9a21
access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455 (hitcnt=0) 0x08e8f13d
Optionally without using any object-groups then you would have to simply write every line
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1198
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1199
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445
access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide