Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
5
Helpful
0
Replies

IOS ACL Using Service Object Group and TCP Flags

Stephen Craven
Level 4
Level 4

‎03-10-2022 12:30 PM

Under vanilla IOS, is it possible to use both TCP flags (established, syn, rst, etc.) and service object groups?

 

For example, I can create an ACL that only allows return traffic from established Telnet and SSH connections:

ip access-list extended DEMO-TCP

 permit tcp host 1.1.1.1 eq 22 host 2.2.2.2 established

 permit tcp host 1.1.1.1 eq 23 host 2.2.2.2 established

 

And I can create a single object group for the two TCP protocols to reduce the ACL into one line:

object-group service TCP-PORTS

 tcp source 22

 tcp source 23

ip access-list extended DEMO-TCP

 permit object-group TCP-PORTS host 1.1.1.1 host 2.2.2.2

 

But when I use a service object-group in an ACL I lose the TCP flag options at the end:

LABB-RA1(config-ext-nacl)#$ect-group TCP-PORTS host 1.1.1.1 host 2.2.2.2 ?
dscp Match packets with given dscp value
fragments Check non-initial fragments
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
<cr> <cr>

0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card