Configure A Service Group - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 2
Objects for Access Control
•
•
Example
hostname(config-service-object)# service tcp destination eq http
(Optional) Add a description.
Step 3
hostname(config-service-object)# description string
Configure a Service Group
A service object group includes a mix of protocols, if desired, including optional source and destination
ports for TCP or UDP.
Before You Begin
You can model all services using the generic service object group, which is explained here. However,
you can still configure the types of service group objects that were available prior to ASA 8.3(1). These
legacy objects include TCP/UDP/TCP-UDP port groups, protocol groups, and ICMP groups. The
contents of these groups are equivalent to the associated configuration in the generic service object
group, with the exception of ICMP groups, which do not support ICMP6 or ICMP codes. If you still want
to use these legacy objects, for detailed instructions, see the object-service command description in the
command reference on Cisco.com.
Procedure
Create or edit a service object group using the object name.
Step 1
ciscoasa(config)# object-group service group_name
Example
hostname(config)# object-group service general-services
Add objects and services to the service object group using one or more of the following commands. Use
Step 2
the no form of the command to remove an object.
•
service {icmp | icmp6} [icmp-type [icmp_code]]—For ICMP or ICMP version 6 messages. You can
optionally specify the ICMP type by name or number (0-255) to limit the object to that message
type. If you specify a type, you can optionally specify an ICMP code for that type (1-255). If you
do not specify the code, then all codes are used.
service {tcp | udp} [source operator port] [destination operator port]—For TCP or UDP. You can
optionally specify ports for the source, destination, or both. You can specify the port by name or
number. The operator can be one of the following:
lt—less than.
–
gt—greater than.
–
eq—equal to.
–
neq—not equal to.
–
range—an inclusive range of values. When you use this operator, specify two port numbers, for
–
example, range 100 200.
service-object protocol—The name or number (0-255) of an IP protocol. Specify ip to apply to all
protocols.
Cisco ASA Series Firewall CLI Configuration Guide
Configure Objects
2-5
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
