2-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 2 Objects for Access Control
Configure Objects
• service-object {icmp | icmp6} [icmp-type [icmp_code]]—For ICMP or ICMP version 6 messages.
You can optionally specify the ICMP type by name or number (0-255) to limit the object to that
message type. If you specify a type, you can optionally specify an ICMP code for that type (1-255).
If you do not specify the code, then all codes are used.
• service-object {tcp | udp | tcp-udp} [source operator port] [destination operator port]—For TCP,
UDP, or both. You can optionally specify ports for the source, destination, or both. You can specify
the port by name or number. The operator can be one of the following:
–
lt—less than.
–
gt—greater than.
–
eq—equal to.
–
neq—not equal to.
–
range—an inclusive range of values. When you use this operator, specify two port numbers, for
example, range 100 200.
• service-object object object_name—The name of an existing service object.
• group-object object_group_name—The name of an existing service object group.
Example
hostname(config-service-object-group)# service-object ipsec
hostname(config-service-object-group)# service-object tcp destination eq domain
hostname(config-service-object-group)# service-object icmp echo
hostname(config-service-object-group)# service-object object my-service
hostname(config-service-object-group)# group-object Engineering_groups
Step 3 (Optional) Add a description.
hostname(config-service-object-group)# description string
Examples
The following example shows how to add both TCP and UDP services to a service object group:
hostname(config)# object-group service CommonApps
hostname(config-service-object-group)# service-object tcp destination eq ftp
hostname(config-service-object-group)# service-object tcp-udp destination eq www
hostname(config-service-object-group)# service-object tcp destination eq h323
hostname(config-service-object-group)# service-object tcp destination eq https
hostname(config-service-object-group)# service-object udp destination eq ntp
The following example shows how to add multiple service objects to a service object group:
hostname(config)# object service SSH
hostname(config-service-object)# service tcp destination eq ssh
hostname(config)# object service EIGRP
hostname(config-service-object)# service eigrp
hostname(config)# object service HTTPS
hostname(config-service-object)# service tcp source range 1 1024 destination eq https
hostname(config)# object-group service Group1
hostname(config-service-object-group)# service-object object SSH
hostname(config-service-object-group)# service-object object EIGRP
hostname(config-service-object-group)# service-object object HTTPS
To Next Page
Loading...
Need help?
General
