cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4538
Views
5
Helpful
1
Replies
usmanghani255
Beginner

multiple ports in extended access list

Allow Source 10.137.10.66 Destination 10.10.24.109 ports 1198,1199,5445,5455

How I can add above ports in access list ??

# access-list secure_access extended permit tcp object-group xxxx host xxxxx (ports??)

1. How I can create object group for multiple ports?
2. How if I don't create object group for multiple ports?

Thanks
Any PDF for how to add multiple ports and make groups in extended access list will be much appreciated :)

Sent from Cisco Technical Support iPhone App

1 ACCEPTED SOLUTION

Accepted Solutions
Jouni Forss
Mentor

Hi,

If you for example wanted to group the above ports and the ports used were TCP then you could use the following configuration on an ASA firewall

object-group service SERVICES-TCP tcp

port-object range 1198 1199

port-object eq 5445

port-object eq 5455

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP

When we look at the above ACL rule with "show access-list TEST" command

ASA(config)# sh access-list TEST

access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP

  access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 range 1198 1199 (hitcnt=0)

  access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445 (hitcnt=0) 0x81df9a21

  access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455 (hitcnt=0) 0x08e8f13d

Optionally without using any object-groups then you would have to simply write every line

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1198

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1199

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455

- Jouni

View solution in original post

1 REPLY 1
Jouni Forss
Mentor

Hi,

If you for example wanted to group the above ports and the ports used were TCP then you could use the following configuration on an ASA firewall

object-group service SERVICES-TCP tcp

port-object range 1198 1199

port-object eq 5445

port-object eq 5455

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP

When we look at the above ACL rule with "show access-list TEST" command

ASA(config)# sh access-list TEST

access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP

  access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 range 1198 1199 (hitcnt=0)

  access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445 (hitcnt=0) 0x81df9a21

  access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455 (hitcnt=0) 0x08e8f13d

Optionally without using any object-groups then you would have to simply write every line

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1198

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1199

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455

- Jouni

View solution in original post

Content for Community-Ad