Cisco ASA: Mixing TCP and UDP in Object-Groups

KB ID 0001668

Problem

I like object-groups, they can make your firewall configs a lot smaller/neater and if you need to add a host, network, range, or port, then you can simply add the new requirement to an existing group. But what if you want to allow both UDP and TCP ports, you can create a service group for TCP and add the ports and a service group for UDP and add the ports, and add them into your ACL where you would expect ports to be, (at the end of the ACL,) like so;

[box]

!
object-group service Obj-TCP-Ports tcp
 port-object eq www
 port-object eq https
object-group service Obj-UDP-Ports udp
 port-object eq 8080
 port-object eq 8088
!
access-list inbound extended permit tcp any host 192.168.1.10 object-group Obj-TCP-Ports
access-list inbound extended permit udp any host 192.168.1.10 object-group Obj-UDP-Ports
!

[/box]

But that still means creating a group for TCP and UDP right? Well no, you can mix them you just need to move the object-group in the ACL.

Solution

First create a Service group like this;

[box]

!
object-group service OBJ-Service-Ports
service-object tcp eq www
service-object tcp eq https
service-object udp eq 8080
service-object udp eq 8088
![/box]

Note: What this actually does is create ‘destination port’ objects, if you didn’t already know, if you are connecting to a web server on port 443 (https) for example, the source port can be any port number, it’s the destination port number that is 443. (If you’ve ever worked on a Symantec/SEF/Velociraptor firewall this would be more important).

Then place that service group in the ACL where you would normally specify the PROTOCOL like so;

[box]

!
access-list inbound permit object-group OBJ-Service-Ports any host 192.168.1.10
![/box]

Much simpler!

Related Articles, References, Credits, or External Links

NA