© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—8-1 lesson 8 object grouping
DESCRIPTION
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the object grouping feature of the PIX Firewall and its advantages. Configure object groups. Configure nested object groups. Use object groups in ACLs.TRANSCRIPT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1
Lesson 8
Object Grouping
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-2
Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-3
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:• Describe the object grouping feature of the PIX
Firewall and its advantages.• Configure object groups.• Configure nested object groups.• Use object groups in ACLs.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-4
Overview of Object Grouping
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-5
Using Object Groups in ACLs
chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq http
chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq https
chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq ftp
chicago(config)# access-list acl_out permit tcp any host 192.168.0.11 eq http
chicago(config)# access-list acl_out permit tcp any host 192.168.0.11 eq https
chicago(config)# access-list acl_out permit tcp any host 192.168.0.11 eq ftp
chicago(config)# access-list acl_out permit tcp any host 192.168.0.12 eq http
chicago(config)# access-list acl_out permit tcp any host 192.168.0.12 eq https
chicago(config)# access-list acl_out permit tcp any host 192.168.0.12 eq ftp
DMZ
Internet
172.16.0.0Web
Web
Web
.1
.2
.3
.4
192.168.0.X
chicago(config)# show staticstatic(dmz,outside)192.168.0.10
172.16.0.1 netmask 255.255.255.255static(dmz,outside)192.168.0.11
172.16.0.2 netmask 255.255.255.255static(dmz,outside)192.168.0.12
172.16.0.3 netmask 255.255.255.255
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-6
Grouping Objects• Group services supported, such as
DMZ-Services - HTTP- HTTPS- FTP
• Group hosts/networks, such as DMZ_Servers- 192.168.0.10- 192.168.0.11- 192.168.0.12
• Apply group names to ACL
chicago(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services
chicago(config)# show staticstatic(dmz,outside)192.168.0.10
172.16.0.1 netmask 255.255.255.255static(dmz,outside)192.168.0.11
172.16.0.2 netmask 255.255.255.255static(dmz,outside)192.168.0.12
172.16.0.3 netmask 255.255.255.255
DMZ
Internet
172.16.0.0Web
Web
Web
.1
.2
.3
.4
192.168.0.X
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-7
Grouping Objects of Similar Types• Protocols
– TCP– UDP
• Networks/hosts– Subnet 10.0.0.0/24– 10.0.1.11– 10.0.2.11
• Services– HTTP– HTTPS– FTP
• ICMP– Echo– Echo-reply
• INSIDE_PROTOCOLS
• INSIDE_HOSTS
• DMZ_SERVICES
• PING
chicago(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftpchicago(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply
Protocols Network/hosts Services/ICMP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-8
Getting Started with Object Groups
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-9
Configuring and Using Object GroupsComplete the following tasks to create object groups and use them in your configuration:• Task 1—Use the object-group command to enter the appropriate
subcommand mode for the type of group you want to configure.
• Task 2—In subcommand mode, define the members of the object group.
• Task 3—(Optional.) Use the description subcommand to describe the object group.
• Task 4—Use the exit or quit command to return to configuration mode.
• Task 5—(Optional.) Use the show object-group command to verify that the object group has been configured successfully.
• Task 6—Apply the object group to the access-list command.• Task 7—(Optional.) Use the show access-list command to
display the expanded ACL entries.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-10
Configuring Network Object Groups
pixfirewall(config)# object-group network Inside_Engpixfirewall(config-network)# network-object host 10.0.0.1pixfirewall(config-network)# network-object host 10.0.0.2
pixfirewall(config)#object-group network grp_id• Assigns a name to the group and enables the Network
subcommand mode
10.0.0.0 /24
192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
Inside_Eng
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-11
Configuring Service Object Groups
pixfirewall(config)# object-group service Host_Services tcppixfirewall(config-service)# port-object eq httppixfirewall(config-service)# port-object eq httpspixfirewall(config-service)# port-object eq ftp
object-group service grp_id {tcp | udp | tcp-udp}pixfirewall(config)#
• Assigns a name to a Service group and enables the Service subcommand mode
10.0.0.0 /24192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
DMZ
Host_Services- HTTP- HTTPS- FTP Inside_Eng
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-12
Adding Object Groups to an ACL
10.0.0.0 /24192.168.0.0Internet
Inside_Mktg
DMZ
Host_Services+
Inside_Eng Inside_Eng
10.0.1.0/24
• Permits outbound Engineering HTTP, HTTPS, and FTP traffic
pixfirewall(config)#access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]]
pixfirewall(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-13
Configuring Protocol Object Groups
pixfirewall(config)# object-group protocol ESP_Protocolpixfirewall(config-protocol)# protocol-object 50
object-group protocol grp_idpixfirewall(config)#
• Assigns a name to a Protocol group and enables the Protocol subcommand mode
10.0.0.0 /24192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
DMZ
ESP_Protocol- 50
Inside_Eng
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-14
Configuring ICMP-Type Object Groups
pixfirewall(config)# object-group icmp-type PINGpixfirewall(config-icmp-type)# icmp-object echopixfirewall(config-icmp-type)# icmp-object echo-reply
object-group icmp-type grp_idpixfirewall(config)#
• Assigns a name to an ICMP-Type group and enables the ICMP-Type subcommand mode
10.0.0.0 /24192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
DMZ
Inside_Eng
PING- Echo- Echo-reply
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-15
Nested Object Groups
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-16
Nested Object Groups
• Group objects; for example, Inside_Eng, Inside_Mktg.
• Nested groups; for example, Inside_Networks.
• Apply nested group to ACL.
DMZ
Internet
172.16.0.0
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-17
Configuring Nested Object Groups
Complete the following steps to configure nested object groups:• Step 1—Create an object group that you want to nest within
another object group, such as Inside_Eng.• Step 2—Add the appropriate type of objects to the object
group, such as 10.0.1.0/24.• Step 3—Assign an identity to the object group within which
you want to nest other object groups, such as Inside_Networks.
• Step 4—Add the first object group to the second object group.
• Step 5—Add any other objects that are required to the group, such as Inside_Mktg.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-18
Nested Object Group Example—Object Group Network
• Create a object group- Inside_Eng- Inside_Mktg
• Allow inside hosts outbound
- HTTP- HTTPS- FTP
DMZ
Internet
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
172.16.0.0
Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-19
group-object Command
pixfirewall(config)# object-group network Inside_Engpixfirewall(config-network)# network-object host 10.0.0.1pixfirewall(config-network)# network-object host 10.0.0.2pixfirewall(config-network)# exitpixfirewall(config)# object-group network Inside_Mktgpixfirewall(config-network)# network-object host 10.0.1.1pixfirewall(config-network)# network-object host 10.0.1.2pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Networkspixfirewall(config-network)# group-object Inside-Engpixfirewall(config-network)# group-object Inside-Mktg
group-object object_group_idpixfirewall(config-group-type)#
• Nests an object group within another object group
Inside_Mktg10.0.1.0
Inside_Eng10.0.0.0
Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-20
Nested Object Group Example—Object Group Services
DMZ
Internet
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
172.16.0.0
Host_Services- HTTP- HTTPS- FTP
pix1(config)# object-group service Host_Services tcp
pix1(config-service)# port-object eq httppix1(config-service)# port-object eq httpspix1(config-service)# port-object eq ftp
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-21
Apply Nested Object Group to ACL
pixfirewall(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services
• Allow all inside hosts outbound - HTTP- HTTPS- FTP
DMZ
Internet
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
172.16.0.0
Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-22
Multiple Object Groups in ACLs
172.16.0.0
10.0.0.0
172.30.0.0.50 .51
.1 .2
.1 .2 .5 .4 .3
chicago(config)# show object-groupobject-group network REMOTES network-object host 172.30.0.50 network-object host 172.30.0.51 object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12object-group network DMZ2 network-object host 192.168.2.10object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp
pixfirewall(config)# access-list aclout permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC
pixfirewall(config)# show staticstatic(dmz1,outside)192.168.1.10
172.16.0.1 netmask 255.255.255.255static(dmz1,outside)192.168.1.12
172.16.0.2 netmask 255.255.255.255static(dmz2,outside)192.168.2.10
172.16.1.1 netmask 255.255.255.255
DMZ1
172.16.1.0 .1
DMZ2192.168.0.0
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-23
Displaying Configured Object Groups
• Displays object groups in the configuration
pixfirewall# show object-groupobject-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2
show object-group [protocol | service | icmp-type | network]
pixfirewall(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-24
Removing Configured Object Groups
• Removes a specific service object group
• Removes all object groups or all object groups of a specific type
pixfirewall(config)# no object-group network ALL_DMZpixfirewall(config)# clear object-group protocol
no object-group service grp_id tcp | udp | tcp-udppixfirewall(config)#
clear object-group [protocol | service | icmp-type | network]
pixfirewall(config)#
• Removes a specific protocol, network, or icmp-type object groupno object-group protocol | network | icmp-type grp_idpixfirewall(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-25
Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-26
Summary
• You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy.
• The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify.
• Members of an object group are defined in its subcommand mode.
• Hierarchical object grouping enables greater flexibility and modularity for specifying entries within ACLs.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-27
Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-28
192.168.Q.0192.168.P.0
Lab Visual Objective
Student PC
.2.1
.1
Student PC
PIXFirewall
Web/FTPCSACS
Web/FTPCSACS
.1
.2
.1
PIXFirewall
.1
Local: 10.0.P.11 Local: 10.0.Q.11
10.0.P.0 10.0.Q.0
RTS.100
RTS.100
Pods 1–5 Pods 6–10172.26.26.0
.150
.50Web/FTP
RBB
.2.2 “bastionhost”:Web/FTP172.16.P.0 172.16.Q.0
“bastionhost”:Web/FTP
.1