I’ve just taken over managing a ASA 5520 firewall ( among other things). I’ve been looking to consolidate and group permissions as much as possible to cut down on the number of rules in the config file.
I ran into an issue with the object-group service not having a corresponding variable equivalent in the access-list :
access-list DMZIn extended permit udp host server any eq 53
access-list DMZIn extended permit tcp host server any eq 53
Would like to set this up to reduce the lines used
object-group service DNSPROTO tcp-udp
port-object eq 53
access-list DMZIn extended permit (???) host server any object-group DNSPROTO
The object group service allows 3 types (tcp|udp|tcp-udp) the problem is I cannot find in any reference the use of an access list with tcp-udp. i found complaints it wasn’t implemented. I was wondering if the solution is listed below
access-list DMZIn extended permit ip host server any object-group DNSPROTO
This would allow IP packets from the server to anyware but limit the port to 53. Would this open it up to ICMP attacks on that port?
You must be logged in to reply to this topic.
Create a free account today to participate in forum conversations, comment on posts and more.