Announcement

Collapse
No announcement yet.

Cisco ASA5520 - object-group service tcp-udp variable

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA5520 - object-group service tcp-udp variable

    I've just taken over managing a ASA 5520 firewall ( among other things). I've been looking to consolidate and group permissions as much as possible to cut down on the number of rules in the config file.

    I ran into an issue with the object-group service not having a corresponding variable equivalent in the access-list :

    existing rules
    access-list DMZIn extended permit udp host server any eq 53
    access-list DMZIn extended permit tcp host server any eq 53


    Would like to set this up to reduce the lines used
    object-group service DNSPROTO tcp-udp
    port-object eq 53


    access-list DMZIn extended permit (???) host server any object-group DNSPROTO

    The object group service allows 3 types (tcp|udp|tcp-udp) the problem is I cannot find in any reference the use of an access list with tcp-udp. i found complaints it wasn't implemented. I was wondering if the solution is listed below

    access-list DMZIn extended permit ip host server any object-group DNSPROTO

    This would allow IP packets from the server to anyware but limit the port to 53. Would this open it up to ICMP attacks on that port?

  • #2
    Re: Cisco ASA5520 - object-group service tcp-udp variable

    object-group network yourgroupname
    network-object host 192.168.1.10

    access-list someACLname line 1 extended permit tcp object-group yourgroupname any eq 9062

    that is how you do it.. since you're just now taking over an ASA you'll need to quickly learn how to

    1) tell if an ACL is blocking traffic
    2) learn how to sniff packets with your asa which will help assist you in proving to your server admins that your firewall is not effecting traffic on your network

    Comment

    Working...
    X