Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
4
Replies

Service object creation

Go to solution
Eric Washington
Level 1
Level 1

‎06-12-2013 12:20 PM - edited ‎03-11-2019 06:56 PM

I was asked to create rules with the following TCP ports: 41000, 41002, 41025. Since these ports did not exists, I just created new TCP service objects. The issue is I put the those ports as source port/range and destination port/range in the Add Service Object box.

I feel like I already know the question before I ask it, but should I have used "default (1 - 65535)" in the source port/range field just like the other TCP ports?

I've attached a snapshot of the Add Service Object box.

Thanks in advance!

Regards,

The Rookie

Labels:
Preview file
31 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-12-2013 12:25 PM

Hi,

Personally I never configure any ACL rules or NAT configuration on the ASDM

I assume that you are trying to configure an "object service" to the destination ports that you are going to allow in some ACL?

If this is correct then I would assume that you just define the destination port section of the "object service" configuration and leave the source section blank as we dont want to define the source port range.

The "object service" lets your define both the source and destination port under the same "object service" but I dont find it that usefull.

I usually configure all the ports I need either inside "object-group service" or "object service" and only define the destination port as that is usually the one we are more interested about.

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎06-12-2013 12:52 PM

Hi,

Generally we dont know what the source port of the incoming connection is so there is no real reason to define it. Naturally you could configure the range you decribe but I feel it doesnt add anything to the access rules other than make it more complicated in the long run.

So if you are making "object service" for ACLs then I would suggest just sticking to using the destination port section and leaving the source section blank UNLESS you specifically want to limit the source port for some connection but I cant see very many situation where you would need to go so far.

I have seen a couple of situations where people have used ASDM and have been probably misslead to defining their destination port on both of the fields which has in the end caused their ACL rules to be wrong and the connections being blocked by the ACL since there is only a single source port from which the connections is allowed. And that doesnt make any sense.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-12-2013 12:25 PM

Hi,

Personally I never configure any ACL rules or NAT configuration on the ASDM

I assume that you are trying to configure an "object service" to the destination ports that you are going to allow in some ACL?

If this is correct then I would assume that you just define the destination port section of the "object service" configuration and leave the source section blank as we dont want to define the source port range.

The "object service" lets your define both the source and destination port under the same "object service" but I dont find it that usefull.

I usually configure all the ports I need either inside "object-group service" or "object service" and only define the destination port as that is usually the one we are more interested about.

Hope this helps

- Jouni

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Jouni Forss

‎06-12-2013 12:47 PM

Thanks for your quick reply Jouni!

I am plan on using these service ports in ASA firewall access rules. I'm using ASDM because I have a higher priv level than I do in putty.

If I understand you correctly then it isn't necessary for me to define a source, correct? And even if it isn't necessary, would it be wrong to put the source as default (1 - 65535)?

I'm starting to think making the source & destination port the same was incorrect.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eric Washington

‎06-12-2013 12:52 PM

Hi,

Generally we dont know what the source port of the incoming connection is so there is no real reason to define it. Naturally you could configure the range you decribe but I feel it doesnt add anything to the access rules other than make it more complicated in the long run.

So if you are making "object service" for ACLs then I would suggest just sticking to using the destination port section and leaving the source section blank UNLESS you specifically want to limit the source port for some connection but I cant see very many situation where you would need to go so far.

I have seen a couple of situations where people have used ASDM and have been probably misslead to defining their destination port on both of the fields which has in the end caused their ACL rules to be wrong and the connections being blocked by the ACL since there is only a single source port from which the connections is allowed. And that doesnt make any sense.

- Jouni

0 Helpful

Go to solution
Eric Washington
Level 1
Level 1
In response to Jouni Forss

‎06-12-2013 12:57 PM

Thanks again! This info is very helpful.

Learn something new everyday

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card