Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
0
Helpful
3
Replies

example of object-group service for

tonyam98
Level 1
Level 1

‎04-07-2005 12:53 PM - edited ‎03-09-2019 10:52 AM

I would like a example using object-group service using name management

for services : ssh,dns,ntp,ldap,syslog,snmp,smtp

then apply it from lower security30 (dmz1) on 10.30.44.0 to a higher (inside) security100 10.30.31.0

Labels:
0 Helpful
3 Replies 3

mhussein
Level 4
Level 4

‎04-07-2005 02:57 PM

Hi,

I think the object group has to be split since there is a mix of tcp and udp ports involved.

Given these tcp/udp port numbers:

ssh: TCP 22

dns: UDP 53, TCP 53

ntp: UDP 123

ldap: TCP 389

sldap: TCP 636

syslog: UDP 514

snmp: UDP 161, TCP 161

smtp: TCP 25

possible config may look like this:

object-group service mgmt_udp udp

port-object eq 53

port-object eq 123

port-object eq 514

port-object eq 161

object-group service mgmt_tcp tcp

port-object eq 22

port-object eq 53

port-object eq 389

port-object eq 636

port-object eq 161

port-object eq 25

access-list dmz1_to_inside permit udp 10.30.44.0 255.255.255.0 10.30.31.0 255.255.255.0 object-group mgmt_udp

access-list dmz1_to_inside permit tcp 10.30.44.0 255.255.255.0 10.30.31.0 255.255.255.0 object-group mgmt_tcp

I am not sure if it is possible to combine the 2 object groups into a single object-group service mgmt tcp-udp

and apply it with a single access-list dmz1_to_inside permit ip .... object-group mgmt. I'd be interested to see if that is actually possible.

HTH,

Mustafa

0 Helpful

tonyam98
Level 1
Level 1
In response to mhussein

‎04-07-2005 05:50 PM

you can do this so you don't have to split

object-group protocol typeofprotocol

protocol-object tcp

protocol-object udp

S# exit

S# object-group service management tcp-udp

port-object eq 22

port-object eq 53

port-object eq 123

port-object eq 389

port-object eq 514

port-object eq 161

port-object eq 25

0 Helpful

mhussein
Level 4
Level 4
In response to tonyam98

‎04-07-2005 09:59 PM

The drawback of using "tcp-udp" service group is that both ports for tcp and udp are opened at the same time. E.g, "port-object eq 22" opens both ssh, and port 22/UDP. This is definitely less secure than using 2 different service groups; one for tcp, and one for udp.

The interesting question would be: is it possible to nest a udp group into a tcp group? E.g in the config above:

object-group service mgmt_udp udp

port-object eq 53

port-object eq 123

port-object eq 514

port-object eq 161

object-group service mgmt_tcp tcp

port-object eq 22

port-object eq 53

port-object eq 389

port-object eq 636

port-object eq 161

port-object eq 25

object-group mgmt_udp

0 Helpful
Customers Also Viewed These Support Documents