10-21
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Simplifying Access Control Lists with Object Grouping
To add a service group, follow these steps:
Step 1 To add a service group, enter the following command:
FWSM/contexta(config)# object-group service
grp_id
{tcp | udp | tcp-udp}
The grp_id is a text string up to 64 characters in length.
Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp. Enter tcp-udp
if your service uses both TCP and UDP with the same port number, for example, DNS (port 53).
The prompt changes to the service subcommand mode.
Step 2 (Optional) To add a description, enter the following command:
FWSM/contexta(config-service)# description
text
The description can be up to 200 characters.
Step 3 To define the ports in the group, enter the following command for each port or range of ports:
FWSM/contexta(config-service)# port-object {eq
port
| range
begin_port
end_port
}
For a list of permitted keywords and well-known port assignments, see the “Protocols and Applications”
section on page D-5.
For example, to create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP),
enter the following commands:
FWSM/contexta(config)# object-group service services1 tcp-udp
FWSM/contexta(config-service)# description DNS Group
FWSM/contexta(config-service)# port-object eq domain
FWSM/contexta(config-service)# object-group service services2 udp
FWSM/contexta(config-service)# description RADIUS Group
FWSM/contexta(config-service)# port-object eq radius
FWSM/contexta(config-service)# port-object eq radius-acct
FWSM/contexta(config-service)# object-group service services3 tcp
FWSM/contexta(config-service)# description LDAP Group
FWSM/contexta(config-service)# port-object eq ldap
Adding an ICMP Type Object Group
To add or change an ICMP type object group, follow these steps. After you add the group, you can add
more objects as required by following this procedure again for the same group name and specifying
additional objects. You do not need to reenter existing objects; the commands you already set remain in
place unless you remove them with the no form of the command.
To add an ICMP type group, follow these steps:
Step 1 To add an ICMP type group, enter the following command:
FWSM/contexta(config)# object-group icmp-type
grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to the ICMP type subcommand mode.
To Next Page
Loading...
Need help?
General