ASA Enhanced Service Object Groups

The ASA introduced the concept of object groups in version 7.0.  You could group a list of IP addresses, protocols, services, or ICMP types into one logical entity and refer to it by name in your access lists.  In the 7.x releases, however, a service object group could only contain entries for a single protocol (TCP, UDP, or both TCP/UDP).  This forced admins to either use a separate object group for TCP and UDP ports (requiring two ACE entries), or to match more ports than necessary (by using the tcp-udp type).

The 8.0 release of the ASA software solves this problem by introducing an enhanced Service object group that allows a mix of multiple protocols within the same group.  Unfortunately, the 8.0 and 8.2 ASA configuration guides don’t appear to cover this new type of service group or show an example.

object-group network DMZ_NET
  network-object 1.2.3.0 255.255.255.0
!
object-group service DMZ_SERVICES
  service-object tcp eq 80
  service-object udp eq 53
  service-object tcp eq 53
  service-object icmp
!
access-list DMZ extended permit object-group DMZ_SERVICES any object-group DMZ_NET