Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1387
Views
0
Helpful
5
Replies

ACL's & object-groups

louis0001
Level 3
Level 3

‎12-01-2018 07:47 AM - edited ‎02-20-2020 09:45 PM

I'm just starting to use object-groups to tidy up some of my ACL's on a router.

Is there any particular reason why you can't use the following:

permit tcp object-group network A object-group service A object-group network B object-group service B ?

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎12-01-2018 08:32 AM

Hi,
You would specify the service group prior to defining the network object-group

 

RTR(config-ext-nacl)#permit ?
  <0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group

 

Example:-

 

ip access-list extended ACL
 permit object-group SRV_OBJ object-group A object-group B

 

Reference here.

 

HTH

0 Helpful

louis0001
Level 3
Level 3
In response to Rob Ingram

‎12-01-2018 10:58 AM

So if I specify a service group with say www within it, does the service group only apply to the destination in the ACL?

So basically it means:

source ports equal any whilst destination ports equal www?

0 Helpful

louis0001
Level 3
Level 3
In response to louis0001

‎12-01-2018 09:19 PM - edited ‎12-01-2018 09:28 PM

Think I may have found the answer although not sure.

In the object-group service X, there is a source option eg tcp source range 10000 20000 www

which I think would mean allow source tcp 10000-20000 going to 80

 

If no source is entered, I take it would mean that any source port (user ports 1024-49151, dynamic ports 49152-65535) are allowed by default and the service specified eg www would only apply to the destination port?

0 Helpful

Rob Ingram
VIP
VIP
In response to louis0001

‎12-02-2018 05:38 AM

Yes, you'd use the source option to specify source ports. If you want to specify just the destination it would be "tcp/udp eq <port number>". E.g:-

object-group service SVC_OBJ
tcp source range 0 65535
tcp eq www

I imagine if you didn't specify a source port that's equivalent to "any"


0 Helpful

louis0001
Level 3
Level 3
In response to Rob Ingram

‎12-04-2018 12:09 AM

Looking at the CLI, I think you may be able to specify the source ports per line rather than the whole group although I would imagine if you do it the way you have above, that would apply to the whole group.

I take the point about "any" but just what does Cisco mean by any with regards to source ports? I know most programs/apps would not use the source registered ports (with exceptions) so does Cisco literally mean "any" for source ports ie 1 - 65535?

0 Helpful
Customers Also Viewed These Support Documents