Service subcommand mode

fw1(config)# object-group service Host Services tcp fw1(config-service)# port-object eq http fw1(config-service)# port-object eq https fw1(config-service)# port-object eq ftp

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-9

To configure a service object group, first enter the object-group service command to name the service object group and enable the service subcommand mode. Using the tcp option specifies that the service object group contains ports that are used for TCP only. Using the udp option specifies that the service object group contains ports that are used for UDP only. Using the tcp-udp option specifies that the service object group contains ports that are used for both TCP and UDP.

After you're inside the subcommand mode, you can use the port-object command to add a TCP or UDP port number to the service object group. You can also add a range of TCP or UDP port numbers to the service object group.

The syntax for the port-object commands is as follows:

port-object eq service port-object range begin service end service port-object eq service port-object range begin service end service

eq service

Specifies the decimal number or name of a TCP or UDP port for a service object.

range

Specifies a range of ports (inclusive).

begin_service

Specifies the decimal number or name of a TCP or UDP port that is the beginning value for a range of services. This value must be between 0 and 65535.

end_service

Specifies the decimal number or name of a TCP or UDP port that is the ending value for a range of services. This value must be between 0 and 65535.

In the figure, the administrator wants each Inside_Eng host to have outbound HTTP, HTTPS, and FTP capabilities. A service object group, Host_Services, is defined. Individual protocols, HTTP, HTTPS, and FTP, are added in the subcommand mode.

Note The protocol type of a service group object and the protocol type of the ACE to which it is associated must match. For example, if the service object group Host_Services is created for TCP services, this object can only be associated with an ACE (permit or deny) that also refers to TCP services as in the following example:

firewall(config)# access-list inside permit tcp object-group Inside Eng any object-group Host Services

Host Services _ +

Inside_Eng

192.168.0.0 I f firewall(config)#

Inside_Mktg

Inside_Eng

Inside_Mktg

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip mask | interface ifc_name | object-group network_obj_grp_id | any}{host dip | dip mask | interface ifc_name | object-group network_obj_grp_id | any}[log [[level] [interval secs] | disable | default]][inactive | time-range time_range_name]

0 0

Post a comment