Terry, as Pieter said, even I think both are handled the same way. sh access-lists will reveal the answer to you practically...
With regards Kings On Sun, May 23, 2010 at 10:47 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Oh, what I also meant is that if you do a show access-list (and not show > run access-list), you can see the exploded access-lists. > > And those exploded access-lists are basically the same, so you can assume > it's being handled the same as well.. > > PJ > > > On May 23, 2010, at 7:14 PM, Pieter-Jan Nefkens wrote: > > Hi terry, Kings, > > I expect that the traffic is being handled the same way. As the > object-group access-lists are exploded into single-line entries and still > being validaded line by line > > PJ > On May 23, 2010, at 7:04 PM, Terry Little (terlittl) wrote: > > King, > > I get the config options/restrictions. I am trying to verify that in a case > that allows for either option does the ASA end up processing them the same > way. This is not a config question. > > Terry Little > (425) 894-4109 (m) > (425) 468-1057 (o) > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Sunday, May 23, 2010 10:01 AM > *To:* Terry Little (terlittl) > *Cc:* Pieter-Jan Nefkens; CCIE Sec > *Subject:* Re: [OSL | CCIE_Security] object groups service question > > > service and port objects are not same. there are differences. > > port objects depends on the "IP" protocol" of the acl. > > acess-list 123 permit tcp needs tcp service group > acess-list 123 permit upd needs udp service group > > > With service-objects, you don't have that restriction. You can put all the > stuffs into > one group. > > With service-objects, I don't think you no more need port objects. > > service-objects can do everything with few acl. > > > > > With regards > King > On Sun, May 23, 2010 at 10:15 PM, Terry Little (terlittl) < > [email protected]> wrote: > Pieter-Jan, > > Ok, I understand all that. What I am trying to figure out is in the > scenario that I presented, which can be done with either method, are there > any differences in the way that the ASA processes traffic associated with > the ACL. > > Regards, > > > Terry Little > (425) 894-4109 (m) > (425) 468-1057 (o) > *From:* Pieter-Jan Nefkens [mailto:[email protected]] > *Sent:* Sunday, May 23, 2010 9:18 AM > *To:* Terry Little (terlittl) > *Cc:* CCIE Sec > *Subject:* Re: [OSL | CCIE_Security] object groups service question > > Hello Terry, > > There is a difference. With the first service object-group TEST, you can > combine different protocols (tcp, udp, esp, etc) together. While with the > second, you basically group tcp service objects. > > Let's give a different example. > Suppose, you have a bunch of hosts, that run VPN services for you. > Then you could better do this: > > object-group service vpnservices > service-object udp eq 500 > service-object udp eq 4500 > service-object esp > > access-list acl_outside permit object-group vpnservices any object-group > vpnhosts > > This way, one line basically allows everybody to connect to the > object-group vpnhosts with just vpn services. > > Another example would be that you're running webservers on port > 80,81,82,83,84, 86, > then you could do: > > object-group service webservices tcp > port-object eq 80 > port-object eq 81 > port-object eq 82 > port-object eq 83 > port-object eq 84 > port-object eq 86 > > Access-l acl_outside permit tcp any object-group webservers object-group > webservices > > So the purpose of the one service object group is just for a collection of > ports within the same protocol (second example) and the first you can mix > and match multiple protocols and ports in a single service object-group > > HTH > > Pieter-Jan > > > On May 23, 2010, at 5:06 PM, Terry Little (terlittl) wrote: > > > Other than how they are applied, is there a difference between the > following two sets of ASA configurations? They appear to operate the same to > me, but I just want to make sure that I haven’t missed some corner case > where you have to use one over the other. > > Object-group service TEST > Service-object tcp eq 2222 > Service-object tcp eq 3333 > > Access-list TEST permit object-group TEST any any > > > AND > > Object-group service TEST tcp > Port-object eq 2222 > Port-object eq 3333 > > Access-list TEST permit tcp any any object-group TEST > > > > Terry Little > [email protected] > Phone: +1 425 468 1057 > > Mobile: +1 425 894 4109 > > Cisco Systems, Inc. > Network Consulting Engineer > World Wide Security Services Practice > Cisco.com - http://www.cisco.com > > This email may contain confidential and privileged material for the sole > use of the intended recipient. Any review, use, distribution or disclosure > by others is strictly prohibited. If you are not the intended recipient (or > authorized to receive for the recipient), please contact the sender by reply > email and delete all copies of this message. > > For corporate legal information go to: > http://www.cisco.com/web/about/doing_business/legal/cri/index.html > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > --- > Nefkens Advies > Enk 26 > 4214 DD Vuren > The Netherlands > > Tel: +31 183 634730 > Fax: +31 183 690113 > Cell: +31 654 323221 > Email: [email protected] > Web: http://www.nefkensadvies.nl/ > > <image001.gif> Think before you print. > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > --- > Nefkens Advies > Enk 26 > 4214 DD Vuren > The Netherlands > > Tel: +31 183 634730 > Fax: +31 183 690113 > Cell: +31 654 323221 > Email: [email protected] > Web: http://www.nefkensadvies.nl/ > > <green.gif> Think before you print. > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > Think before you print. > > > > >
<<green.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
