service and port objects are not same. there are differences. port objects depends on the "IP" protocol" of the acl.
acess-list 123 permit tcp needs tcp service group acess-list 123 permit upd needs udp service group With service-objects, you don't have that restriction. You can put all the stuffs into one group. With service-objects, I don't think you no more need port objects. service-objects can do everything with few acl. With regards King On Sun, May 23, 2010 at 10:15 PM, Terry Little (terlittl) < [email protected]> wrote: > Pieter-Jan, > > > > Ok, I understand all that. What I am trying to figure out is in the > scenario that I presented, which can be done with either method, are there > any differences in the way that the ASA processes traffic associated with > the ACL. > > > > Regards, > > > > > > Terry Little > > (425) 894-4109 (m) > > (425) 468-1057 (o) > > *From:* Pieter-Jan Nefkens [mailto:[email protected]] > *Sent:* Sunday, May 23, 2010 9:18 AM > *To:* Terry Little (terlittl) > *Cc:* CCIE Sec > *Subject:* Re: [OSL | CCIE_Security] object groups service question > > > > Hello Terry, > > > > There is a difference. With the first service object-group TEST, you can > combine different protocols (tcp, udp, esp, etc) together. While with the > second, you basically group tcp service objects. > > > > Let's give a different example. > > Suppose, you have a bunch of hosts, that run VPN services for you. > > Then you could better do this: > > > > object-group service vpnservices > > service-object udp eq 500 > > service-object udp eq 4500 > > service-object esp > > > > access-list acl_outside permit object-group vpnservices any object-group > vpnhosts > > > > This way, one line basically allows everybody to connect to the > object-group vpnhosts with just vpn services. > > > > Another example would be that you're running webservers on port > 80,81,82,83,84, 86, > > then you could do: > > > > object-group service webservices tcp > > port-object eq 80 > > port-object eq 81 > > port-object eq 82 > > port-object eq 83 > > port-object eq 84 > > port-object eq 86 > > > > Access-l acl_outside permit tcp any object-group webservers object-group > webservices > > > > So the purpose of the one service object group is just for a collection of > ports within the same protocol (second example) and the first you can mix > and match multiple protocols and ports in a single service object-group > > > > HTH > > > > Pieter-Jan > > > > > > On May 23, 2010, at 5:06 PM, Terry Little (terlittl) wrote: > > > > Other than how they are applied, is there a difference between the > following two sets of ASA configurations? They appear to operate the same to > me, but I just want to make sure that I haven’t missed some corner case > where you have to use one over the other. > > > > Object-group service TEST > > Service-object tcp eq 2222 > > Service-object tcp eq 3333 > > > > Access-list TEST permit object-group TEST any any > > > > > > AND > > > > Object-group service TEST tcp > > Port-object eq 2222 > > Port-object eq 3333 > > > > Access-list TEST permit tcp any any object-group TEST > > > > > > > > Terry Little > > [email protected] > Phone: +1 425 468 1057 > > Mobile: +1 425 894 4109 > > > Cisco Systems, Inc. > > Network Consulting Engineer > World Wide Security Services Practice > Cisco.com - http://www.cisco.com > > > > This email may contain confidential and privileged material for the sole > use of the intended recipient. Any review, use, distribution or disclosure > by others is strictly prohibited. If you are not the intended recipient (or > authorized to receive for the recipient), please contact the sender by reply > email and delete all copies of this message. > > For corporate legal information go to: > http://www.cisco.com/web/about/doing_business/legal/cri/index.html > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > > Think before you print. > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
