© 2005 cisco systems, inc. all rights reserved. snpa v4.0—6-1 lesson 6 object grouping

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1

Lesson 6

Object Grouping


Overview of Object Grouping


Using Object Groups in ACLs

fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq http

fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq https

fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq ftp



fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq ftp



fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq ftpDMZ

Internet

172.16.0.0Web

Web

Web

.1

.2

.3

192.168.0.X

fw1(config)# show run staticstatic (dmz,outside) 192.168.0.10

172.16.0.1 netmask 255.255.255.255static (dmz,outside) 192.168.0.11

172.16.0.2 netmask 255.255.255.255static (dmz,outside) 192.168.0.12

172.16.0.3 netmask 255.255.255.255


Grouping Objects

• Services groups, such as DMZ_Services – HTTP– HTTPS– FTP

• Host and network groups, such as DMZ_Servers– 192.168.0.10– 192.168.0.11– 192.168.0.12

• Group names applied to ACL

fw1(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services

fw1(config)# show run staticstatic(dmz,outside)192.168.0.10 172.16.0.1

netmask 255.255.255.255static(dmz,outside)192.168.0.11 172.16.0.2

netmask 255.255.255.255static(dmz,outside)192.168.0.12 172.16.0.3

netmask 255.255.255.255

DMZ

Internet

172.16.0.0Web

Web

Web

.1

.2

.3

192.168.0.X


Grouping Objects of Similar Types• Protocols

– TCP– UDP

• Networks and hosts– Subnet 10.0.0.0/24– 10.0.1.11– 10.0.2.11

• Services– HTTP– HTTPS– FTP

• ICMP– Echo– Echo-reply

• INSIDE_PROTOCOLS

• INSIDE_HOSTS

• DMZ_SERVICES

• PING

firewall(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftpfirewall(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply

Protocols Networks/Hosts Services/ICMP


Getting Started with Object Groups


Configuring and Using Object Groups

Complete the following steps to create object groups and use them in your configuration:• Step 1: Use the object-group command to enter the appropriate

subcommand mode for the type of group you want to configure.• Task 2: In subcommand mode, define the members of the object group.• Task 3: (Optional) Use the description subcommand to describe the object group. • Task 4: Use the exit or quit command to return to configuration mode.• Task 5: (Optional) Use the show object-group command to verify that the

object group has been configured successfully.• Task 6: Apply the object group to the access-list command.• Task 7: (Optional) Use the show access-list command to display the expanded

ACL entries.


Configuring Network Object Groups

fw1(config)# object-group network Inside_Engfw1(config-network)# network-object host 10.0.0.1fw1(config-network)# network-object host 10.0.0.2

firewall(config)#object-group {protocol | network | icmp-type} obj_grp_id

• Assigns a name to the group and enables the network subcommand mode

10.0.0.0 /24

192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

Inside_Eng


Configuring Service Object Groups

fw1(config)# object-group service Host_Services tcpfw1(config-service)# port-object eq httpfw1(config-service)# port-object eq httpsfw1(config-service)# port-object eq ftp

object-group service obj_grp_id {tcp | udp | tcp-udp}firewall(config)#

• Assigns a name to a service group and enables the service subcommand mode

10.0.0.0 /24192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

Host_Services• HTTP• HTTPS• FTP Inside_Eng


Adding Object Groups to an ACL

10.0.0.0 /24192.168.0.0Internet

Inside_Mktg

Host_Services+

Inside_Eng Inside_Eng

10.0.1.0/24

• Permits outbound engineering HTTP, HTTPS, and FTP traffic

firewall(config)#access-list id [line line-number] [extended] {deny | permit}{protocol | object-group protocol_obj_grp_id}{host sip | sip mask |

interface ifc_name | object-group network_obj_grp_id | any}{host dip | dip mask | interface ifc_name | object-group network_obj_grp_id | any}[log [[level] [interval secs] | disable | default]][inactive | time-range time_range_name]

fw1(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services


Configuring ICMP-Type Object Groups

fw1(config)# object-group icmp-type PINGfw1(config-icmp)# icmp-object echofw1(config-icmp)# icmp-object echo-reply

object-group icmp-type obj_grp_idfirewall(config)#

• Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode

10.0.0.0 /24192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

Inside_Eng

Ping• Echo• Echo-reply


Nested Object Groups


Nested Object Groups

• Group objects: Inside_Eng, Inside_Mktg

• Nested groups: Inside_Networks

• Nested group applied to ACL

DMZ

Internet

172.16.0.0

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

Inside_Networks


Configuring Nested Object Groups

Complete the following steps to configure nested object groups:• Step 1: Create an object group, such as Inside_Eng that

you want to nest within another object group.• Step 2: Add the appropriate type of objects to the

object group, such as 10.0.1.0/24.• Step 3: Assign an identity, such as Inside_Networks to

the object group within which you want to nest other object groups.

• Step 4: Add the first object group to the second object group.

• Step 5: Add any other objects to the group that are required, such as Inside_Mktg.


Nested Object Group Example: Object Group Network

• Create object groups– Inside_Eng– Inside_Mktg

• Allow inside hosts outbound – HTTP– HTTPS– FTP

DMZ

Internet

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

172.16.0.0

Inside_Networks


group-object Command

fw1(config)# object-group network Inside_Engfw1(config-network)# network-object host 10.0.0.1fw1(config-network)# network-object host 10.0.0.2fw1(config-network)# exitfw1(config)# object-group network Inside_Mktgfw1(config-network)# network-object host 10.0.1.1fw1(config-network)# network-object host 10.0.1.2fw1(config-network)# exit fw1(config)# object-group network Inside_Networksfw1(config-network)# group-object Inside_Engfw1(config-network)# group-object Inside_Mktg

group-object obj_group_id

firewall(config-network)#

• Nests an object group within another object group

Inside_Mktg10.0.1.0

Inside_Eng10.0.0.0

Inside_Networks


Nested Object Group Example: Object Group Services

DMZ

Internet

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

172.16.0.0

Host_Services• HTTP• HTTPS• FTP

fw1(config)# object-group service Host_Services tcp

fw1(config-service)# port-object eq httpfw1(config-service)# port-object eq httpsfw1(config-service)# port-object eq ftp


Apply Nested Object Group to ACL

• Allow all inside hosts outbound – HTTP– HTTPS– FTP

fw1(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services

DMZ

Internet

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

172.16.0.0

Inside_Networks


Multiple Object Groups in ACLs

172.16.0.0

10.0.0.0

172.30.0.0.50 .51

.1 .2

.1 .2 .5 .4 .3

fw1(config)# show run object-groupobject-group network REMOTES network-object host 172.30.0.50 network-object host 172.30.0.51 object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12object-group network DMZ2 network-object host 192.168.2.10object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp

fw1(config)# access-list aclout permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC

fw1(config)# show run staticstatic(dmz1,outside)192.168.1.10

172.16.0.1 netmask 255.255.255.255static(dmz1,outside)192.168.1.12

172.16.0.2 netmask 255.255.255.255static(dmz2,outside)192.168.2.10

172.16.1.1 netmask 255.255.255.255

DMZ1

172.16.1.0 .1

DMZ2192.168.0.0


Displaying Configured Object Groups

• Displays object groups in the configuration

fw1# show run object-groupobject-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2

show running-config [all] object-group [protocol | service | network | icmp-type | id obj_grp_id]

firewall(config)#


Removing Configured Object Groups

• Removes a specific service object group

• Removes all object groups or all object groups of a specific type

fw1(config)# no object-group network ALL_DMZfw1(config)# clear config object-group protocol

no object-group service obj_grp_id {tcp | udp | tcp-udp}

firewall(config)#

clear configure object-group [{protocol | service | icmp-type | network}]

firewall(config)#

• Removes a specific protocol, network, or ICMP-type object group

no object-group protocol | network | icmp-type obj_grp_id

firewall(config)#


Summary

• You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy.

• The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify.

• Members of an object group are defined in its subcommand mode.

• Hierarchical, or nested, object grouping enables greater flexibility and modularity for specifying entries within ACLs.

© 2005 cisco systems, inc. all rights reserved. snpa v4.0—6-1 lesson 6 object grouping

Documents