06-12-2013 12:20 PM - edited 03-11-2019 06:56 PM
I was asked to create rules with the following TCP ports: 41000, 41002, 41025. Since these ports did not exists, I just created new TCP service objects. The issue is I put the those ports as source port/range and destination port/range in the Add Service Object box.
I feel like I already know the question before I ask it, but should I have used "default (1 - 65535)" in the source port/range field just like the other TCP ports?
I've attached a snapshot of the Add Service Object box.
Thanks in advance!
Regards,
The Rookie
Solved! Go to Solution.
06-12-2013 12:25 PM
Hi,
Personally I never configure any ACL rules or NAT configuration on the ASDM
I assume that you are trying to configure an "object service" to the destination ports that you are going to allow in some ACL?
If this is correct then I would assume that you just define the destination port section of the "object service" configuration and leave the source section blank as we dont want to define the source port range.
The "object service" lets your define both the source and destination port under the same "object service" but I dont find it that usefull.
I usually configure all the ports I need either inside "object-group service" or "object service" and only define the destination port as that is usually the one we are more interested about.
Hope this helps
- Jouni
06-12-2013 12:52 PM
Hi,
Generally we dont know what the source port of the incoming connection is so there is no real reason to define it. Naturally you could configure the range you decribe but I feel it doesnt add anything to the access rules other than make it more complicated in the long run.
So if you are making "object service" for ACLs then I would suggest just sticking to using the destination port section and leaving the source section blank UNLESS you specifically want to limit the source port for some connection but I cant see very many situation where you would need to go so far.
I have seen a couple of situations where people have used ASDM and have been probably misslead to defining their destination port on both of the fields which has in the end caused their ACL rules to be wrong and the connections being blocked by the ACL since there is only a single source port from which the connections is allowed. And that doesnt make any sense.
- Jouni
06-12-2013 12:25 PM
Hi,
Personally I never configure any ACL rules or NAT configuration on the ASDM
I assume that you are trying to configure an "object service" to the destination ports that you are going to allow in some ACL?
If this is correct then I would assume that you just define the destination port section of the "object service" configuration and leave the source section blank as we dont want to define the source port range.
The "object service" lets your define both the source and destination port under the same "object service" but I dont find it that usefull.
I usually configure all the ports I need either inside "object-group service" or "object service" and only define the destination port as that is usually the one we are more interested about.
Hope this helps
- Jouni
06-12-2013 12:47 PM
Thanks for your quick reply Jouni!
I am plan on using these service ports in ASA firewall access rules. I'm using ASDM because I have a higher priv level than I do in putty.
If I understand you correctly then it isn't necessary for me to define a source, correct? And even if it isn't necessary, would it be wrong to put the source as default (1 - 65535)?
I'm starting to think making the source & destination port the same was incorrect.
06-12-2013 12:52 PM
Hi,
Generally we dont know what the source port of the incoming connection is so there is no real reason to define it. Naturally you could configure the range you decribe but I feel it doesnt add anything to the access rules other than make it more complicated in the long run.
So if you are making "object service" for ACLs then I would suggest just sticking to using the destination port section and leaving the source section blank UNLESS you specifically want to limit the source port for some connection but I cant see very many situation where you would need to go so far.
I have seen a couple of situations where people have used ASDM and have been probably misslead to defining their destination port on both of the fields which has in the end caused their ACL rules to be wrong and the connections being blocked by the ACL since there is only a single source port from which the connections is allowed. And that doesnt make any sense.
- Jouni
06-12-2013 12:57 PM
Thanks again! This info is very helpful.
Learn something new everyday
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide