Solved: multiple ports in extended access list

usmanghani255 · ‎02-19-2013

Allow Source 10.137.10.66 Destination 10.10.24.109 ports 1198,1199,5445,5455

How I can add above ports in access list ??

# access-list secure_access extended permit tcp object-group xxxx host xxxxx (ports??)

1. How I can create object group for multiple ports?
2. How if I don't create object group for multiple ports?

Thanks
Any PDF for how to add multiple ports and make groups in extended access list will be much appreciated :)

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎02-19-2013

Hi,

If you for example wanted to group the above ports and the ports used were TCP then you could use the following configuration on an ASA firewall

object-group service SERVICES-TCP tcp

port-object range 1198 1199

port-object eq 5445

port-object eq 5455

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP

When we look at the above ACL rule with "show access-list TEST" command

ASA(config)# sh access-list TEST

access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 object-group SERVICES-TCP

access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 range 1198 1199 (hitcnt=0)

access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445 (hitcnt=0) 0x81df9a21

access-list TEST line 1 extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455 (hitcnt=0) 0x08e8f13d

Optionally without using any object-groups then you would have to simply write every line

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1198

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 1199

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5445

access-list TEST extended permit tcp host 10.137.10.66 host 10.10.24.109 eq 5455

- Jouni

View solution in original post

Jouni Forss · ‎02-19-2013