Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Service Objects and Service Groups

20-5

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter20 Configuring Objects

Configuring Service Objects and Service Groups

Configuring Service Objects and Service Groups

This section describes how to configure service objects and service groups, and it includes the following

topics:

•Information about Service Objects and Service Groups, page20-5

•Adding and Editing a Service Object, page20-6

•Adding and Editing a Service Group, page20-7

•Browse Service Groups, page 20-9

A service object contains a protocol and optional (source and/or destination) port and an associated

description. You create and use a service object in ASA configurations in the place of an inline IP address

in a configuration. You can define an object with a particular IP address/mask pair or a protocol (and

optionally a port) and use this object in several configurations.

The advantage to using an object is that whenever you want to modify the configurations related to this

IP address or protocol, you do not need to search the running configuration and modify the rules in all

places. You can modify the object once, and then the change automatically applies to all rules that use

this object.

Service objects can be used in NAT configurations, access lists, and object groups.

You can associate multiple services into a named service group. You can specify any type of protocol

and service in one group or create service groups for each of the following types:

•TCP ports

•UDP ports

•ICMP types

•IP protocols

Multiple service groups can be nested into a “group of groups” and used as a single group.

You can use a service group for most configurations that require you to identify a port, ICMP type, or

protocol. When you are configuring NAT or security policy rules, the ASDM window even includes a

Services pane at the right that shows available service groups and other global objects; you can add, edit,

or delete objects directly in the Services pane.

You can also create a named object in a service object group, which provides the ability to modify an

object in one place and have it be reflected in all other places that are referencing it. Otherwise,

modifying an object requires a manual process of changing all IP address and mask pairs in the

configuration. In addition, you can attach a named object to (or detach a named object from) one or more

object groups to ensure that objects are not duplicated but are used efficiently. (A named service object

may be attached to or detached from a service object group only, not an object group of another type.)

The object can then be re-used and cannot be deleted if other modules are still referencing it.

When you delete a service object or service group, it is removed from all service groups and access rules

where it is used.

If a service group is used in an access rule, do not remove the service group unless you want to delete

the access rule. A service group used in an access rule cannot be made empty.

For information about adding or editing a service object, see the “Adding and Editing a Service Object”

section on page 20-6.

Cisco Systems Configuring Service Objects and Service Groups