I am trying to setup  some rules on the ASA firewall to allow remote access our network and am making some service object groups. If I setup an object group like this:

object-group service View_DT_Svc_TCP tcp

description TCP Ports needed to connect from Security server to View Desktops

port-object eq 3389

port-object eq 32111

port-object eq 9427

object-group service View_DT_Svc tcp-udp

description Ports needed to connect from Security server to View Desktops

port-object eq 4172

group-object View_DT_Svc_TCP

will the ports 3389, 32111, 9427 be limited to TCP only, or will they have UDP access since they are referenced in a tcp-udp service object? I want those ports limited to TCP only but port 4172 needs to be tcp-udp and I don’t want to have to write one group for TCP, one group for UDP and then one non specific group to combine the other two like this:

object-group service View_DT_Svc_TCP tcp

description TCP Ports needed to connect from Security server to View Desktops

port-object eq 3389

port-object eq 32111

port-object eq 9427

port-object eq 4172

object-group service View_DT_Svc_UDP udp

description UDP Ports needed to connect from Security server to View Desktops

port-object 4172

object-group service View_DT_Svc

description Ports needed to connect from Security server to View Desktops

group-object View_DT_Svc_TCP

group-object View_DT_Svc_UDP

which way of doing things is better?

Thanks