Symptom
We are unable to create an "Extended ACL" object on the FMC when mixing protocols on different entries and mixing source and destination. FMC is showing the following error:
"Port types cannot be mixed in Source/Destination.
There are ports in Source and Destination with different protocols.
Either choose ports of the same type in Source and Destination, or
remove ports from Source or Destination so that they are not mixed."
An example of the ACL with mixed protocols and mixing source and destination but in different entries is this (first entry is UDP with port on source, and second entry is TCP with port on destination):
access-list ACL_VPN-FILTER extended permit udp any eq ntp any
access-list ACL_VPN-FILTER extended permit tcp any any eq ssh
Starting on FMC 7.1, validations to the ACL objects were introduced as part of API support. However it seems the validations are imnplemented incorreclty as we should be able to create "Extended ACL" objects as the above where each entry is independent from each other and it should not matter we specify the port either on source or destination.
Workaround
The above ACL Extended objects are commonly used for VPN-filters.
While this problem is fixed, instead of using VPN-filters is recommended to configure entries on the ACP allowing/denying the traffic from a VPN tunnel.
