I would like to create an "object-group service" and would like to define only the destination ports as shown below.
object-group service web-ports
service-object tcp destination eq 80
service-object tcp destination eq 443
But I do not get the same options as shown above. I do not want' to define the source port, I only want to define the Destination port.
ASR_1000(config)#object-group service web-ports
IPv4 Service object group configuration commands:
<0-255> An IP protocol number
ahp Authentication Header Protocol
description Service object group description
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
exit Exit from object-group configuration mode
gre Cisco's GRE tunneling
group-object Nested object group
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
no Negate or set default values of a command
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
tcp-udp TCP or UDP protocol
udp User Datagram Protocol
Any advice will be highly appreciated.
why not create service object and use as mentioned below example :
if this is not you looking what you looking - give more example
My requirement is to configure a service object that has only defined a set of Destination Ports.
So I can use this to restrict what traffic is allowed (depending on the destination Ports).
This "object-group service XX" will be a global object that will be used by many ACLs.
Following is a similar setup from a Huawei Device. I would like to configure something similar on the Cisco ASR 1000.
ip service-set VPN type object
service 0 protocol udp destination-port 1194
service 1 protocol udp destination-port 1195
service 2 protocol udp destination-port 1196
I hope my question is clear for you!.
Thank you for that.
Let's say we create a "object-group service XXX" with some ports defined.
But It doesn't let me use that on an ACL as the destination port set.
My reequipment is to create a "object-group service XXX" with a set of port numbers. And multiple "object-group network XX" to define the internal IP blocks.
So in return - I should be able to define what source objects are allowed to access the destination service objects (ports)
ASR(config-ext-nacl)#20 permit udp host 10.121.38.0 host 10.113.2.0 eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol (500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
non500-isakmp Internet Security Association and Key Management Protocol (4500)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
ripv6 Routing Information Protocol V6 (router, in.routed, 521)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)