≡ Menu

Difference between Port-Object and Service-Object

When it comes to Cisco ASA, both Port-Object and Service-Object achieve the same result. However, application of extended Access Control List (ACL) and calling the Port-Object or Service-Object would differ in the ACL statement.

Below, we look at two tcp protocols, namely www and https defined using Port-Object and Service-Object as follows…

Port Object

object-group service WEB-PORTS tcp
port-object eq www
port-object eq https

Service Object

object-group service WEB-PORTS
service-object tcp eq 80
service-object tcp eq 443

The port-object defines the object name and the protocol in the object statement, while the service-object defines the protocol and the port together. The following ACL explains that…

Port-Object within an extended ACL
The port-object is defined at the end of the ACL.

access-list ACL_in extended permit tcp NETWORK SUBNET any object-group WEB-PORTS

Service-Object within an extended ACL
While the service-object statement is replaced as a substitute for the protocol with the ACL.

access-list ACL_in extended permit object-group WEB-PORTS NETWORK SUBNET any

Comments on this entry are closed.

  • Coconutdog

    protocol-object – Layer 3 to define protocols like ip, esp, gre etc
    service-object – Layer 4 to define port numbers under tcp, udp or both

Next post:

Previous post:

Copyright © Nish Vamadevan 2002-2017. All Rights Reserved. Terms and Policies.