Cisco ASA 5505 Configuration Manual page 313

Chapter 13 Configuring Objects
Configuring Service Objects and Service Groups
This section describes how to configure service objects and service groups, and it includes the following
topics:
•
•
•
•
Information about Service Objects and Service Groups
A service object contains a protocol and optional (source and/or destination) port and an associated
description. You create and use a service object in adaptive security appliance configurations in the place
of an inline IP address in a configuration. You can define an object with a particular IP address/mask pair
or a protocol (and optionally a port) and use this object in several configurations.
The advantage to using an object is that whenever you want to modify the configurations related to this
IP address or protocol, you do not need to search the running configuration and modify the rules in all
places. You can modify the object once, and then the change automatically applies to all rules that use
this object.
Service objects can be used in NAT configurations, access lists, and object groups.
You can associate multiple services into a named service group. You can specify any type of protocol
and service in one group or create service groups for each of the following types:
•
•
•
•
Multiple service groups can be nested into a "group of groups" and used as a single group.
You can use a service group for most configurations that require you to identify a port, ICMP type, or
protocol. When you are configuring NAT or security policy rules, the ASDM window even includes a
Services pane at the right that shows available service groups and other global objects; you can add, edit,
or delete objects directly in the Services pane.
You can also create a named object in a service object group, which provides the ability to modify an
object in one place and have it be reflected in all other places that are referencing it. Otherwise,
modifying an object requires a manual process of changing all IP address and mask pairs in the
configuration. In addition, you can attach a named object to (or detach a named object from) one or more
object groups to ensure that objects are not duplicated but are used efficiently. (A named service object
may be attached to or detached from a service object group only, not an object group of another type.)
The object can then be re-used and cannot be deleted if other modules are still referencing it.
When you delete a service object or service group, it is removed from all service groups and access rules
where it is used.
If a service group is used in an access rule, do not remove the service group unless you want to delete
the access rule. A service group used in an access rule cannot be made empty.
For information about adding or editing a service object, see the
section on page
OL-20339-01
Information about Service Objects and Service Groups, page 13-5
Adding and Editing a Service Object, page 13-6
Adding and Editing a Service Group, page 13-7
Browse Service Groups, page 13-9
TCP ports
UDP ports
ICMP types
IP protocols
13-6.
Configuring Service Objects and Service Groups
"Adding and Editing a Service Object"
Cisco ASA 5500 Series Configuration Guide using ASDM
13-5