Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3174
Views
10
Helpful
2
Replies

Syntax for access list object group tcp-udp

Communications
Level 1
Level 1

‎09-26-2007 04:10 AM - edited ‎03-11-2019 04:17 AM

Hi

I have a number of object groups set-up on a PIX and I have a question regarding the access-list syntax

object-group service Oracle_forms tcp-udp

description Oracle Forms Ports

port-object range 9000 9010

access-list outside_cryptomap_1 permit tcp object-group Sever_Access object-group Server_VPN object-group Oracle_forms

The other object-groups are defined bu where the service group details a range of ports which may be TCP and or UDP should the access list reflect that is permit TCP correct given that the object-service group contains both UDP TCP ports?

Thanks

Labels:
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎09-26-2007 07:09 AM

Hi,

Even though you have both TCP and UDP Port Range defined in the Ojbject-Group called Oracle_forms, the Access-list "outside_cryptomap_1" is permitting only TCP which is OK as far as you want to permit only TCP.

If you want to permit only UDP, then the access-list entry for "outside_cryptomap_1" should be "access-list outside_cryptomap_1 permit udp object-group Sever_Access object-group Server_VPN object-group Oracle_forms"

If you want to permit both TCP and UDP, then you need two access-list.

access-list outside_cryptomap_1 permit tcp object-group Sever_Access object-group Server_VPN object-group Oracle_forms

access-list outside_cryptomap_1 permit udp object-group Sever_Access object-group Server_VPN object-group Oracle_forms

The idea behind service object group with option tcp-udp in object-group command is

that we don't need to specify object-group command separately for tcp and udp. Its just to avoid duplication of effort. If we don't use tcp-udp we need to specify 2 service object groups one for tcp and one for udp.

For example,

object-group service TCP-PORTS tcp

port-object range 9000 9010

object-group service UDP-PORTS udp

port-object range 9000 9010

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

Communications
Level 1
Level 1
In response to ajagadee

‎09-26-2007 10:25 PM

Hi Arul

Thanks you confirmed my thoughts not having used this feature before.

Regards Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card