Sysadmin > CiscoFirewall > ASAConfigExamples > AsaTmplServicesMisc

miscancellous config examples for object-group

misc templates

In the 7.x releases a service object group could only contain entries for a single protocol (TCP, UDP, or both TCP/UDP). This forced admins to either use a separate object group for TCP and UDP ports (requiring two ACE entries), or to match more ports than necessary (by using the tcp-udp type).

simple example from cisco config guide (old style)

object-group service services1 tcp-udp
description DNS Group
port-object eq domain

object-group service services2 udp
description RADIUS Group
port-object eq radius
port-object eq radius-acct

object-group service services3 tcp
description LDAP Group
port-object eq ldap

Here you can see the use of tcp, udp and a combined object-group. This is the common style since version 7.x. Use it if you have to be compatible with older versions and with most admins, since this is still prefered style in most guides including from cisco.

Enhanced service object group since version 8.0

The 8.0 release of the ASA software solves this problem by introducing an enhanced Service object group that allows a mix of multiple protocols within the same group. Unfortunately, the 8.0, 8.2 and 8.4 ASA configuration guides don’t appear to cover this new type of service group or show an example.

object-group network DmzNet
object-group service DmzServices
  service-object icmp
  service-object tcp eq 80
  service-object udp eq 123
  service-object udp eq 53
  service-object tcp eq 53
access-list Dmz extended permit object-group DmzServices any object-group DmzNet

example from a real live config

object-group service sAddLdap tcp
 description -- LDAP-queries
 port-object eq ldap
 port-object eq ldaps

object-group service sAddNetbiosTcp tcp
 description -- TCP for CIFS
 port-object eq 445
 port-object eq netbios-ssn

object-group service sAddNetbiosUdp udp
 description -- UDP for CIFS
 port-object eq netbios-dgm
 port-object eq netbios-ns

object-group service sBaseTcp tcp
 description -- TCP base services for Clients
 port-object eq domain
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
 port-object eq ssh
 port-object eq 17
 port-object eq 587
 port-object range 1600 1601
 port-object eq nntp
 port-object eq 8080
 port-object eq 8081
 port-object eq 3128
 port-object eq 8070
 port-object eq citrix-ica
 port-object eq ident

object-group service sBaseUdp udp
 description -- UDP base services for Clients
 port-object eq domain
 port-object eq ntp
 port-object eq isakmp
 port-object eq 427

object-group service sSrvSshTcp tcp
 description -- Fernadministration via ssh, scp, sftp
 port-object eq ssh

object-group network nCampus
 description -- hole campus

object-group network nCampusServer
 description -- Basisserver (time, web, dns, Backup)
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host

object-group service sSpzBackupTcp tcp
 description -- Backup only
 port-object range 1600 1601
object-group service stSpzMail tcp
 description -- Mail only
 port-object eq 587
 port-object eq smtp
object-group service stSpzWeb tcp
 description -- Web only
 port-object eq www
 port-object eq https
object-group icmp-type sIcmpBase
 description -- Ping u.A.
 icmp-object conversion-error
 icmp-object echo
 icmp-object echo-reply
 icmp-object parameter-problem
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group protocol sIpVpn
 description -- ESP for VPN
 protocol-object esp
object-group service stAddLpr tcp
 description -- Printservice
 port-object eq 510
 port-object eq lpd
 port-object eq 9100
 port-object eq 9400
 port-object eq 9200
object-group service suAddLpr udp
 description -- Addhoc noch UDP
 port-object eq 510
 port-object eq 515
 port-object eq 9100
 port-object eq 9400
object-group service sAddVnc tcp
 description -- VNS Remote Managment
 port-object eq 5900
object-group service stAddMysql tcp
 description -- Databaseconnect for MySQL und ODBC
 port-object eq 3306
object-group service sAddGmail tcp
 description -- IMAP/SSL, SMTP/SSL for Gmail
 port-object eq 465
 port-object eq 993
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service stAddBeehive tcp
 port-object eq 7778
 port-object eq 21401