Cisco ASA5520 – object-group service tcp-udp variable

Home Forums Networking Cisco Security – PIX/ASA/VPN Cisco ASA5520 – object-group service tcp-udp variable

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    taraak
    Member
    #143417

    I’ve just taken over managing a ASA 5520 firewall ( among other things). I’ve been looking to consolidate and group permissions as much as possible to cut down on the number of rules in the config file.

    I ran into an issue with the object-group service not having a corresponding variable equivalent in the access-list :

    existing rules
    access-list DMZIn extended permit udp host server any eq 53
    access-list DMZIn extended permit tcp host server any eq 53

    Would like to set this up to reduce the lines used
    object-group service DNSPROTO tcp-udp
    port-object eq 53

    access-list DMZIn extended permit (???) host server any object-group DNSPROTO

    The object group service allows 3 types (tcp|udp|tcp-udp) the problem is I cannot find in any reference the use of an access list with tcp-udp. i found complaints it wasn’t implemented. I was wondering if the solution is listed below

    access-list DMZIn extended permit ip host server any object-group DNSPROTO

    This would allow IP packets from the server to anyware but limit the port to 53. Would this open it up to ICMP attacks on that port?

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.