Re: [OSL | CCIE_Security] object groups service question

[Pieter-Jan Nefkens]

Hello Terry, There is a difference. With the first service object-group TEST, you can combine different protocols (tcp, udp, esp, etc) together. While with the second, you basically group tcp service objects.  Let's give a different example. Suppose, you have a bunch of hosts, that run VPN services for you. Then you could better do this: object-group service vpnservices    service-object udp eq 500    service-object udp eq 4500    service-object esp access-list acl_outside permit object-group vpnservices any object-group vpnhosts This way, one line basically allows everybody to connect to the object-group vpnhosts with just vpn services. Another example would be that you're running webservers on port 80,81,82,83,84, 86, then you could do: object-group service webservices tcp    port-object eq 80    port-object eq 81    port-object eq 82    port-object eq 83    port-object eq 84    port-object eq 86 Access-l acl_outside permit tcp any object-group webservers object-group webservices So the purpose of the one service object group is just for a collection of ports within the same protocol (second example) and the first you can mix and match multiple protocols and ports in a single service object-group HTH Pieter-Jan On May 23, 2010, at 5:06 PM, Terry Little (terlittl) wrote: Other than how they are applied, is there a difference between the following two sets of ASA configurations? They appear to operate the same to me, but I just want to make sure that I haven’t missed some corner case where you have to use one over the other.   Object-group service TEST  Service-object tcp eq 2222  Service-object tcp eq 3333   Access-list TEST permit object-group TEST any any     AND   Object-group service TEST tcp  Port-object eq 2222  Port-object eq 3333   Access-list TEST permit tcp any any object-group TEST       Terry Little terli...@cisco.com Phone: +1 425 468 1057     Mobile: +1 425 894 4109 Cisco Systems, Inc. Network Consulting Engineer World Wide Security Services Practice Cisco.com - http://www.cisco.com   This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html   _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: pjnefk...@nefkensadvies.nl Web: http://www.nefkensadvies.nl/  Think before you print.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com