KB ID 0001668
Problem
I like object-groups, they can make your firewall configs a lot smaller/neater and if you need to add a host, network, range, or port, then you can simply add the new requirement to an existing group. But what if you want to allow both UDP and TCP ports, you can create a service group for TCP and add the ports and a service group for UDP and add the ports, and add them into your ACL where you would expect ports to be, (at the end of the ACL,) like so;
[box]
! object-group service Obj-TCP-Ports tcp port-object eq www port-object eq https object-group service Obj-UDP-Ports udp port-object eq 8080 port-object eq 8088 ! access-list inbound extended permit tcp any host 192.168.1.10 object-group Obj-TCP-Ports access-list inbound extended permit udp any host 192.168.1.10 object-group Obj-UDP-Ports !
[/box]
But that still means creating a group for TCP and UDP right? Well no, you can mix them you just need to move the object-group in the ACL.
Solution
First create a Service group like this;
[box]
! object-group service OBJ-Service-Ports service-object tcp eq www service-object tcp eq https service-object udp eq 8080 service-object udp eq 8088 ![/box]
Note: What this actually does is create ‘destination port’ objects, if you didn’t already know, if you are connecting to a web server on port 443 (https) for example, the source port can be any port number, it’s the destination port number that is 443. (If you’ve ever worked on a Symantec/SEF/Velociraptor firewall this would be more important).
Then place that service group in the ACL where you would normally specify the PROTOCOL like so;
[box]
! access-list inbound permit object-group OBJ-Service-Ports any host 192.168.1.10 ![/box]
Much simpler!
Related Articles, References, Credits, or External Links
NA