King,
I get the config options/restrictions. I am trying to verify that in a case that allows for either option does the ASA end up processing them the same way. This is not a config question. Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Kingsley Charles [mailto:[email protected]] Sent: Sunday, May 23, 2010 10:01 AM To: Terry Little (terlittl) Cc: Pieter-Jan Nefkens; CCIE Sec Subject: Re: [OSL | CCIE_Security] object groups service question service and port objects are not same. there are differences. port objects depends on the "IP" protocol" of the acl. acess-list 123 permit tcp needs tcp service group acess-list 123 permit upd needs udp service group With service-objects, you don't have that restriction. You can put all the stuffs into one group. With service-objects, I don't think you no more need port objects. service-objects can do everything with few acl. With regards King On Sun, May 23, 2010 at 10:15 PM, Terry Little (terlittl) < [email protected]> wrote: Pieter-Jan, Ok, I understand all that. What I am trying to figure out is in the scenario that I presented, which can be done with either method, are there any differences in the way that the ASA processes traffic associated with the ACL. Regards, Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Pieter-Jan Nefkens [mailto:[email protected]] Sent: Sunday, May 23, 2010 9:18 AM To: Terry Little (terlittl) Cc: CCIE Sec Subject: Re: [OSL | CCIE_Security] object groups service question Hello Terry, There is a difference. With the first service object-group TEST, you can combine different protocols (tcp, udp, esp, etc) together. While with the second, you basically group tcp service objects. Let's give a different example. Suppose, you have a bunch of hosts, that run VPN services for you. Then you could better do this: object-group service vpnservices service-object udp eq 500 service-object udp eq 4500 service-object esp access-list acl_outside permit object-group vpnservices any object-group vpnhosts This way, one line basically allows everybody to connect to the object-group vpnhosts with just vpn services. Another example would be that you're running webservers on port 80,81,82,83,84, 86, then you could do: object-group service webservices tcp port-object eq 80 port-object eq 81 port-object eq 82 port-object eq 83 port-object eq 84 port-object eq 86 Access-l acl_outside permit tcp any object-group webservers object-group webservices So the purpose of the one service object group is just for a collection of ports within the same protocol (second example) and the first you can mix and match multiple protocols and ports in a single service object-group HTH Pieter-Jan On May 23, 2010, at 5:06 PM, Terry Little (terlittl) wrote: Other than how they are applied, is there a difference between the following two sets of ASA configurations? They appear to operate the same to me, but I just want to make sure that I haven't missed some corner case where you have to use one over the other. Object-group service TEST Service-object tcp eq 2222 Service-object tcp eq 3333 Access-list TEST permit object-group TEST any any AND Object-group service TEST tcp Port-object eq 2222 Port-object eq 3333 Access-list TEST permit tcp any any object-group TEST Terry Little [email protected] Phone: +1 425 468 1057 Mobile: +1 425 894 4109 Cisco Systems, Inc. Network Consulting Engineer World Wide Security Services Practice Cisco.com - http://www.cisco.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/ Think before you print. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
