Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4667
Views
0
Helpful
3
Replies

Use of TCP-UDP-Service Groups in ASDM

Go to solution
Beat.Traber
Level 1
Level 1

‎06-17-2008 02:17 AM - last edited on ‎03-25-2019 05:40 PM by Community Manager

Hi

I use a Cisco ASDM 5.2F for ASDM.

There is the possibility of defining TCP-UDP Service Groups. What's the use of this? I've tried it out and failed. Whenever you create an access rule you have to define either whether it's TCP or UDP (or IP, or ICMP). If you define an access rule for TCP then the UDP protocols won't work and vice versa.

I've successfully been using TCP-UDP-Groups on Checkpoint Firewalls, but in Cisco ASDM it seems futile.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-17-2008 02:37 AM

This feature was introduced 'in parity' of Checkpoint only, as per the ASA 8.0 TAC training.

I'm not really that good with ASDM, but here is how you can configure them on the CLI (and no there are not futile, pretty useful actually):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Note: Enhanced service object-groups were introduced with the release of software version 8.0. Enhanced service object-groups enable the ASA/PIX to combine IP protocols together in the same service group, which eliminates the need for protocol and icmp-type specific object groups. The protocol type must not be specified in order to configure an enhanced service object-group

Btw are you using an ASA or a FWSM? Is'nt ASDM 5.2F supposed to be for the FWSM?

Regards

Farrukh

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-17-2008 02:37 AM

This feature was introduced 'in parity' of Checkpoint only, as per the ASA 8.0 TAC training.

I'm not really that good with ASDM, but here is how you can configure them on the CLI (and no there are not futile, pretty useful actually):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Note: Enhanced service object-groups were introduced with the release of software version 8.0. Enhanced service object-groups enable the ASA/PIX to combine IP protocols together in the same service group, which eliminates the need for protocol and icmp-type specific object groups. The protocol type must not be specified in order to configure an enhanced service object-group

Btw are you using an ASA or a FWSM? Is'nt ASDM 5.2F supposed to be for the FWSM?

Regards

Farrukh

0 Helpful

Go to solution
Beat.Traber
Level 1
Level 1
In response to Farrukh Haroon

‎06-17-2008 02:44 AM

Thanks a lot, and yes, of course I'm using ASDM on top of a FWSM.

I'll try and configure it on the CLI.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Beat.Traber

‎06-17-2008 03:32 AM

I'm sorry I did not read your post carefully the first time. I don't think the feature mentioned in the link is supported on the FWSM.

Regard what you are trying to achive, this is from one of my earlier posts:

When you define the object-group using both the tcp-udp keyword, there is no real security issue here. Because service type object-group is just defining the ports, you would still need two seperate ACLs here, for example:

access-list 100 permit tcp any host 5.5.5.5 object-group ntp

access-list 100 permit udp any host 5.5.5.5 object-group ntp

Of course you could make a separate protocol object-group to combine both tcp and udp into one (I do this at work), for example

object-group protocol TCP-UDP

protocol-object udp

protocol-object tcp

This would make above ACL like this:

access-list 100 permit object-group tcp-udp any host 5.5.5.5 object-group ntp

HTH

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card