Re: [OSL | CCIE_Security] object groups service question

[Pieter-Jan Nefkens]

Hi terry, Kings, I expect that the traffic is being handled the same way. As the object-group access-lists are exploded into single-line entries and still being validaded line by line PJ On May 23, 2010, at 7:04 PM, Terry Little (terlittl) wrote: King,   I get the config options/restrictions. I am trying to verify that in a case that allows for either option does the ASA end up processing them the same way. This is not a config question.   Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Kingsley Charles [mailto:kingsley.char...@gmail.com]  Sent: Sunday, May 23, 2010 10:01 AM To: Terry Little (terlittl) Cc: Pieter-Jan Nefkens; CCIE Sec Subject: Re: [OSL | CCIE_Security] object groups service question   service and port objects are not same. there are differences. port objects depends on the "IP" protocol" of the acl. acess-list 123 permit tcp needs tcp service group acess-list 123 permit upd needs udp service group With service-objects, you don't have that restriction. You can put all the stuffs into  one group. With service-objects, I don't think you no more need port objects. service-objects can do everything with few acl. With regards King On Sun, May 23, 2010 at 10:15 PM, Terry Little (terlittl) <terli...@cisco.com> wrote: Pieter-Jan,   Ok, I understand all that. What I am trying to figure out is in the scenario that I presented, which can be done with either method, are there any differences in the way that the ASA processes traffic associated with the ACL.   Regards,     Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Pieter-Jan Nefkens [mailto:pjnefk...@nefkensadvies.nl]  Sent: Sunday, May 23, 2010 9:18 AM To: Terry Little (terlittl) Cc: CCIE Sec Subject: Re: [OSL | CCIE_Security] object groups service question   Hello Terry,   There is a difference. With the first service object-group TEST, you can combine different protocols (tcp, udp, esp, etc) together. While with the second, you basically group tcp service objects.    Let's give a different example. Suppose, you have a bunch of hosts, that run VPN services for you. Then you could better do this:   object-group service vpnservices    service-object udp eq 500    service-object udp eq 4500    service-object esp   access-list acl_outside permit object-group vpnservices any object-group vpnhosts   This way, one line basically allows everybody to connect to the object-group vpnhosts with just vpn services.   Another example would be that you're running webservers on port 80,81,82,83,84, 86, then you could do:   object-group service webservices tcp    port-object eq 80    port-object eq 81    port-object eq 82    port-object eq 83    port-object eq 84    port-object eq 86   Access-l acl_outside permit tcp any object-group webservers object-group webservices   So the purpose of the one service object group is just for a collection of ports within the same protocol (second example) and the first you can mix and match multiple protocols and ports in a single service object-group   HTH   Pieter-Jan     On May 23, 2010, at 5:06 PM, Terry Little (terlittl) wrote:   Other than how they are applied, is there a difference between the following two sets of ASA configurations? They appear to operate the same to me, but I just want to make sure that I haven’t missed some corner case where you have to use one over the other.   Object-group service TEST  Service-object tcp eq 2222  Service-object tcp eq 3333   Access-list TEST permit object-group TEST any any     AND   Object-group service TEST tcp  Port-object eq 2222  Port-object eq 3333   Access-list TEST permit tcp any any object-group TEST       Terry Little terli...@cisco.com Phone: +1 425 468 1057     Mobile: +1 425 894 4109 Cisco Systems, Inc. Network Consulting Engineer World Wide Security Services Practice Cisco.com - http://www.cisco.com   This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html   _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com   --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands   Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: pjnefk...@nefkensadvies.nl Web: http://www.nefkensadvies.nl/ <image001.gif> Think before you print.       _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com   --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: pjnefk...@nefkensadvies.nl Web: http://www.nefkensadvies.nl/  Think before you print.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com