[c-nsp] So when is IPv6 failover coming to the ASA?

Brandon Ewing nicotine at warningg.com
Mon Sep 28 14:02:26 EDT 2009


On Mon, Sep 28, 2009 at 06:51:43PM +0100, Alan Buxey wrote:
> Hi,
> 
> PS on another note, I've found with the ASA that if you specify
> a UDP_TCP rule - eg DNS/53 then it doesnt quite work right.
> seperate 53 UDP and 53 TCP, things are fine - i've either mis-understoof
> the UDP/TCP logic in the ASA or *its* logic is wrong. and only
> one of us can be right...  ;-)
> 

TCP/UDP rules still require two rules to be listed in 7.x and 8.0, one with
protocol TCP, one with protocol UDP, or be utilized with a protocol-group of
tcp-udp.  

If you expand the access-list with "show run access-list name", you can see
the indidivual rules applied.

8.2 introduces "dual-service-object-group mode" -- meaning you can define a
service group WITHOUT the protocol specifiction at the end, and define
protocls on a per-service basis:

object-group service TEST
 service-object tcp-udp eq domain
 service-object tcp eq www
 service-object icmp echo
!

Then utilize it in an ACL:
access-list TEST-ACL permit object-group TEST any host 1.2.3.4

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090928/c53e232f/attachment.bin>


More information about the cisco-nsp mailing list