Solved: Hi Rolando,

Rolando Valenzuela · ‎08-19-2015

Hello community!

I'm pretty new when it comes to firewalls, but I have some experience with routers and switches so I'm not completely lost.

Pretty much all of us know that a object-group is a big bucket to throw things and then manage them as a single group, which comes handy for many reasons... so is there something similar that we can use on a ACL for port?

So, let say that I want to allow the following ports:

80
443
25
30500
20500
8080
14600
21
753
22

And instead of doing something like this:

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 80

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 443

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 25

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 30500

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 20500

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 8080

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 14600

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 21

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 753

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq 22

do something like:

access-list dmz_access_in extended permit tcp host WEB host EXT-WEB eq PORT_LIST1

Thank you!!

PD: Please excuse me if any of the port above is not TCP, if just an example... I just start typing all the numbers that came to my head.

Sean Oskar · ‎08-20-2015

Hi Rolando,

On an ASA, you can combine protocols and source/destination-based services in a service-based object-group. Your example would look like this:

object-group service PORT_LIST1
 service-object tcp destination range 21 22
 service-object tcp destination eq 25
 service-object tcp destination eq 80
 service-object tcp destination eq 443
 service-object tcp destination eq 753
 service-object tcp destination eq 8080
 service-object tcp-udp destination eq 14600
 service-object tcp destination eq 20500
 service-object tcp destination eq 30500

You can create also embed groups:

object-group service WEB_PORTS
 service-object tcp destination eq 80
 service-object tcp destination eq 443
object-group service PORT_LIST1
 group-object WEB_PORTS
 service-object ...

This type of group goes where the protocol is specified in the ACL:

access-list dmz_access_in extended permit object-group PORT_LIST1 object HOST object EXT-WEB

View solution in original post

Sean Oskar · ‎08-20-2015

Hi Rolando,

On an ASA, you can combine protocols and source/destination-based services in a service-based object-group. Your example would look like this:

object-group service PORT_LIST1
 service-object tcp destination range 21 22
 service-object tcp destination eq 25
 service-object tcp destination eq 80
 service-object tcp destination eq 443
 service-object tcp destination eq 753
 service-object tcp destination eq 8080
 service-object tcp-udp destination eq 14600
 service-object tcp destination eq 20500
 service-object tcp destination eq 30500

You can create also embed groups:

object-group service WEB_PORTS
 service-object tcp destination eq 80
 service-object tcp destination eq 443
object-group service PORT_LIST1
 group-object WEB_PORTS
 service-object ...

This type of group goes where the protocol is specified in the ACL:

access-list dmz_access_in extended permit object-group PORT_LIST1 object HOST object EXT-WEB

Rolando Valenzuela · ‎08-20-2015

Awesome!! Thank you so much Sean.

Rolando Valenzuela.

Something similar to Object-Groups but for ports? (need to be used on an ACL)