[c-nsp] So when is IPv6 failover coming to the ASA?
Brandon Ewing
nicotine at warningg.com
Mon Sep 28 14:02:26 EDT 2009
On Mon, Sep 28, 2009 at 06:51:43PM +0100, Alan Buxey wrote:
> Hi,
>
> PS on another note, I've found with the ASA that if you specify
> a UDP_TCP rule - eg DNS/53 then it doesnt quite work right.
> seperate 53 UDP and 53 TCP, things are fine - i've either mis-understoof
> the UDP/TCP logic in the ASA or *its* logic is wrong. and only
> one of us can be right... ;-)
>
TCP/UDP rules still require two rules to be listed in 7.x and 8.0, one with
protocol TCP, one with protocol UDP, or be utilized with a protocol-group of
tcp-udp.
If you expand the access-list with "show run access-list name", you can see
the indidivual rules applied.
8.2 introduces "dual-service-object-group mode" -- meaning you can define a
service group WITHOUT the protocol specifiction at the end, and define
protocls on a per-service basis:
object-group service TEST
service-object tcp-udp eq domain
service-object tcp eq www
service-object icmp echo
!
Then utilize it in an ACL:
access-list TEST-ACL permit object-group TEST any host 1.2.3.4
--
Brandon Ewing (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090928/c53e232f/attachment.bin>
More information about the cisco-nsp
mailing list