miscancellous config examples for object-group
misc templates
In the 7.x releases a service object group could only contain entries for a single protocol (TCP, UDP, or both TCP/UDP). This forced admins to either use a separate object group for TCP and UDP ports (requiring two ACE entries), or to match more ports than necessary (by using the tcp-udp type).
simple example from cisco config guide (old style)
object-group service services1 tcp-udp
description DNS Group
port-object eq domain
object-group service services2 udp
description RADIUS Group
port-object eq radius
port-object eq radius-acct
object-group service services3 tcp
description LDAP Group
port-object eq ldap
Here you can see the use of tcp, udp and a combined object-group. This is the common style since version 7.x. Use it if you have to be compatible with older versions and with most admins, since this is still prefered style in most guides including from cisco.
Enhanced service object group since version 8.0
The 8.0 release of the ASA software solves this problem by introducing an enhanced Service object group that allows a mix of multiple protocols within the same group. Unfortunately, the 8.0, 8.2 and 8.4 ASA configuration guides dont appear to cover this new type of service group or show an example.
object-group network DmzNet
network-object 192.168.1.0 255.255.255.0
!
object-group service DmzServices
service-object icmp
service-object tcp eq 80
service-object udp eq 123
service-object udp eq 53
service-object tcp eq 53
!
access-list Dmz extended permit object-group DmzServices any object-group DmzNet
example from a real live config
object-group service sAddLdap tcp
description -- LDAP-queries
port-object eq ldap
port-object eq ldaps
object-group service sAddNetbiosTcp tcp
description -- TCP for CIFS
port-object eq 445
port-object eq netbios-ssn
object-group service sAddNetbiosUdp udp
description -- UDP for CIFS
port-object eq netbios-dgm
port-object eq netbios-ns
object-group service sBaseTcp tcp
description -- TCP base services for Clients
port-object eq domain
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq ssh
port-object eq 17
port-object eq 587
port-object range 1600 1601
port-object eq nntp
port-object eq 8080
port-object eq 8081
port-object eq 3128
port-object eq 8070
port-object eq citrix-ica
port-object eq ident
object-group service sBaseUdp udp
description -- UDP base services for Clients
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 427
object-group service sSrvSshTcp tcp
description -- Fernadministration via ssh, scp, sftp
port-object eq ssh
object-group network nCampus
description -- hole campus
network-object 134.32.0.0 255.255.0.0
object-group network nCampusServer
description -- Basisserver (time, web, dns, Backup)
network-object host 134.32.4.237
network-object host 134.32.140.52
network-object host 134.32.140.57
network-object host 134.32.140.69
network-object host 134.32.8.18
network-object host 134.32.8.19
network-object host 134.32.8.2
network-object host 134.32.8.3
network-object host 134.32.8.43
network-object host 134.62.1.108
object-group service sSpzBackupTcp tcp
description -- Backup only
port-object range 1600 1601
object-group service stSpzMail tcp
description -- Mail only
port-object eq 587
port-object eq smtp
object-group service stSpzWeb tcp
description -- Web only
port-object eq www
port-object eq https
object-group icmp-type sIcmpBase
description -- Ping u.A.
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object parameter-problem
icmp-object source-quench
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group protocol sIpVpn
description -- ESP for VPN
protocol-object esp
object-group service stAddLpr tcp
description -- Printservice
port-object eq 510
port-object eq lpd
port-object eq 9100
port-object eq 9400
port-object eq 9200
object-group service suAddLpr udp
description -- Addhoc noch UDP
port-object eq 510
port-object eq 515
port-object eq 9100
port-object eq 9400
object-group service sAddVnc tcp
description -- VNS Remote Managment
port-object eq 5900
object-group service stAddMysql tcp
description -- Databaseconnect for MySQL und ODBC
port-object eq 3306
object-group service sAddGmail tcp
description -- IMAP/SSL, SMTP/SSL for Gmail
port-object eq 465
port-object eq 993
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service stAddBeehive tcp
port-object eq 7778
port-object eq 21401
ASAKnownServices
