Cisco ASA: Mixing TCP and UDP in Object-Groups

KB ID 0001668

Problem

I like object-groups, they can make your firewall configs a lot smaller/neater and if you need to add a host, network, range, or port, then you can simply add the new requirement to an existing group. But what if you want to allow both UDP and TCP ports, you can create a service group for TCP and add the ports and a service group for UDP and add the ports, and add them into your ACL where you would expect ports to be, (at the end of the ACL,) like so;

[box]

!
object-group service Obj-TCP-Ports tcp
 port-object eq www
 port-object eq https
object-group service Obj-UDP-Ports udp
 port-object eq 8080
 port-object eq 8088
!
access-list inbound extended permit tcp any host 192.168.1.10 object-group Obj-TCP-Ports
access-list inbound extended permit udp any host 192.168.1.10 object-group Obj-UDP-Ports
!

[/box]

But that still means creating a group for TCP and UDP right? Well no, you can mix them you just need to move the object-group in the ACL.

Solution

First create a Service group like this;

[box]

!
object-group service OBJ-Service-Ports
service-object tcp eq www
service-object tcp eq https
service-object udp eq 8080
service-object udp eq 8088
![/box]

Note: What this actually does is create ‘destination port’ objects, if you didn’t already know, if you are connecting to a web server on port 443 (https) for example, the source port can be any port number, it’s the destination port number that is 443. (If you’ve ever worked on a Symantec/SEF/Velociraptor firewall this would be more important).

Then place that service group in the ACL where you would normally specify the PROTOCOL like so;

[box]

!
access-list inbound permit object-group OBJ-Service-Ports any host 192.168.1.10
![/box]

Much simpler!

Related Articles, References, Credits, or External Links

NA

Cisco ASA – View The Contents of an Object and Object-Group

KB ID 0001043 

Problem

My colleague loves the ASDM, I put up with it and prefer command line. We were troubleshooting a problem the other day and he said, there this is why I prefer the ASDM, just ‘hover’ over an object-group and it will show you the contents of it.

Now if (like my test firewall above) you only have a few hosts, then I don’t see the point, but if you have a very complicated config with hundreds of object-groups and thousands of hosts, even troubleshooting why host ‘x’ can’t get to server ‘y’ on port ‘z’ can be a painstaking process.

So I dropped to CLI and tried to do the same;

[box]

Petes-ASA(config)# show object-group Obj-ALL-PROD-DMZ
                                   ^

ERROR: % Invalid input detected at '^' marker.

Petes-ASA(config)# show object-group network Obj-ALL-PROD-DMZs 

                                           ^

ERROR: % Invalid input detected at '^' marker.

[/box]

 

Solution

View Contents of an Object Group

Turns out you need to use the ‘id’ parameter, or it won’t work;

[box]

Petes-ASA(config)# show object-group id Obj-ALL-PROD-DMZs

object-group network Obj-ALL-PROD-DMZs

network-object 192.168.110.0 255.255.255.0

network-object 192.168.121.0 255.255.255.0

network-object 192.168.130.0 255.255.255.0

network-object 192.168.141.0 255.255.255.0

network-object 192.168.140.0 255.255.255.0

network-object 192.168.210.0 255.255.255.0

network-object 192.168.220.0 255.255.255.0

Petes-ASA(config)#

[/box]

I’ve been using that a lot this week.

View Contents of an Object

If you try an to the same this for an object, you will get nothing, you need to add the run keyword as follows;

[box]

Won't Work!
Petes-ASA# show object id Internal_RDP_Server    
object-group Internal_RDP_Server does not exist
Petes-ASA# 

Use 'run'
Petes-ASA# show run object id Internal_RDP_Server
object network Internal_RDP_Server
 host 192.168.100.10

[/box]

Related Articles, References, Credits, or External Links

Original article written 25/03/15