© 2005 cisco systems, inc. all rights reserved. snpa v4.0—6-1 lesson 6 object grouping
DESCRIPTION
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-3 Using Object Groups in ACLs fw1(config)# access-list acl_out permit tcp any host eq http fw1(config)# access-list acl_out permit tcp any host eq https fw1(config)# access-list acl_out permit tcp any host eq ftp fw1(config)# access-list acl_out permit tcp any host eq http fw1(config)# access-list acl_out permit tcp any host eq https fw1(config)# access-list acl_out permit tcp any host eq ftp fw1(config)# access-list acl_out permit tcp any host eq http fw1(config)# access-list acl_out permit tcp any host eq https fw1(config)# access-list acl_out permit tcp any host eq ftp DMZ Internet Web X fw1(config)# show run static static (dmz,outside) netmask static (dmz,outside) netmask static (dmz,outside) netmaskTRANSCRIPT
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1
Lesson 6
Object Grouping
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-2
Overview of Object Grouping
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-3
Using Object Groups in ACLs
fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq http
fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq https
fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq ftp
fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq http
fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq https
fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq ftp
fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq http
fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq https
fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq ftpDMZ
Internet
172.16.0.0Web
Web
Web
.1
.2
.3
192.168.0.X
fw1(config)# show run staticstatic (dmz,outside) 192.168.0.10
172.16.0.1 netmask 255.255.255.255static (dmz,outside) 192.168.0.11
172.16.0.2 netmask 255.255.255.255static (dmz,outside) 192.168.0.12
172.16.0.3 netmask 255.255.255.255
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-4
Grouping Objects
• Services groups, such as DMZ_Services – HTTP– HTTPS– FTP
• Host and network groups, such as DMZ_Servers– 192.168.0.10– 192.168.0.11– 192.168.0.12
• Group names applied to ACL
fw1(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services
fw1(config)# show run staticstatic(dmz,outside)192.168.0.10 172.16.0.1
netmask 255.255.255.255static(dmz,outside)192.168.0.11 172.16.0.2
netmask 255.255.255.255static(dmz,outside)192.168.0.12 172.16.0.3
netmask 255.255.255.255
DMZ
Internet
172.16.0.0Web
Web
Web
.1
.2
.3
192.168.0.X
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-5
Grouping Objects of Similar Types• Protocols
– TCP– UDP
• Networks and hosts– Subnet 10.0.0.0/24– 10.0.1.11– 10.0.2.11
• Services– HTTP– HTTPS– FTP
• ICMP– Echo– Echo-reply
• INSIDE_PROTOCOLS
• INSIDE_HOSTS
• DMZ_SERVICES
• PING
firewall(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftpfirewall(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply
Protocols Networks/Hosts Services/ICMP
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-6
Getting Started with Object Groups
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-7
Configuring and Using Object Groups
Complete the following steps to create object groups and use them in your configuration:• Step 1: Use the object-group command to enter the appropriate
subcommand mode for the type of group you want to configure.• Task 2: In subcommand mode, define the members of the object group.• Task 3: (Optional) Use the description subcommand to describe the object group. • Task 4: Use the exit or quit command to return to configuration mode.• Task 5: (Optional) Use the show object-group command to verify that the
object group has been configured successfully.• Task 6: Apply the object group to the access-list command.• Task 7: (Optional) Use the show access-list command to display the expanded
ACL entries.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-8
Configuring Network Object Groups
fw1(config)# object-group network Inside_Engfw1(config-network)# network-object host 10.0.0.1fw1(config-network)# network-object host 10.0.0.2
firewall(config)#object-group {protocol | network | icmp-type} obj_grp_id
• Assigns a name to the group and enables the network subcommand mode
10.0.0.0 /24
192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
Inside_Eng
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-9
Configuring Service Object Groups
fw1(config)# object-group service Host_Services tcpfw1(config-service)# port-object eq httpfw1(config-service)# port-object eq httpsfw1(config-service)# port-object eq ftp
object-group service obj_grp_id {tcp | udp | tcp-udp}firewall(config)#
• Assigns a name to a service group and enables the service subcommand mode
10.0.0.0 /24192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
Host_Services• HTTP• HTTPS• FTP Inside_Eng
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-10
Adding Object Groups to an ACL
10.0.0.0 /24192.168.0.0Internet
Inside_Mktg
Host_Services+
Inside_Eng Inside_Eng
10.0.1.0/24
• Permits outbound engineering HTTP, HTTPS, and FTP traffic
firewall(config)#access-list id [line line-number] [extended] {deny | permit}{protocol | object-group protocol_obj_grp_id}{host sip | sip mask |
interface ifc_name | object-group network_obj_grp_id | any}{host dip | dip mask | interface ifc_name | object-group network_obj_grp_id | any}[log [[level] [interval secs] | disable | default]][inactive | time-range time_range_name]
fw1(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-11
Configuring ICMP-Type Object Groups
fw1(config)# object-group icmp-type PINGfw1(config-icmp)# icmp-object echofw1(config-icmp)# icmp-object echo-reply
object-group icmp-type obj_grp_idfirewall(config)#
• Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode
10.0.0.0 /24192.168.0.0
10.0.1.0/24
Internet
Inside_Mktg
Inside_Eng
Ping• Echo• Echo-reply
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-12
Nested Object Groups
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-13
Nested Object Groups
• Group objects: Inside_Eng, Inside_Mktg
• Nested groups: Inside_Networks
• Nested group applied to ACL
DMZ
Internet
172.16.0.0
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-14
Configuring Nested Object Groups
Complete the following steps to configure nested object groups:• Step 1: Create an object group, such as Inside_Eng that
you want to nest within another object group.• Step 2: Add the appropriate type of objects to the
object group, such as 10.0.1.0/24.• Step 3: Assign an identity, such as Inside_Networks to
the object group within which you want to nest other object groups.
• Step 4: Add the first object group to the second object group.
• Step 5: Add any other objects to the group that are required, such as Inside_Mktg.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-15
Nested Object Group Example: Object Group Network
• Create object groups– Inside_Eng– Inside_Mktg
• Allow inside hosts outbound – HTTP– HTTPS– FTP
DMZ
Internet
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
172.16.0.0
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-16
group-object Command
fw1(config)# object-group network Inside_Engfw1(config-network)# network-object host 10.0.0.1fw1(config-network)# network-object host 10.0.0.2fw1(config-network)# exitfw1(config)# object-group network Inside_Mktgfw1(config-network)# network-object host 10.0.1.1fw1(config-network)# network-object host 10.0.1.2fw1(config-network)# exit fw1(config)# object-group network Inside_Networksfw1(config-network)# group-object Inside_Engfw1(config-network)# group-object Inside_Mktg
group-object obj_group_id
firewall(config-network)#
• Nests an object group within another object group
Inside_Mktg10.0.1.0
Inside_Eng10.0.0.0
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-17
Nested Object Group Example: Object Group Services
DMZ
Internet
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
172.16.0.0
Host_Services• HTTP• HTTPS• FTP
fw1(config)# object-group service Host_Services tcp
fw1(config-service)# port-object eq httpfw1(config-service)# port-object eq httpsfw1(config-service)# port-object eq ftp
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-18
Apply Nested Object Group to ACL
• Allow all inside hosts outbound – HTTP– HTTPS– FTP
fw1(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services
DMZ
Internet
10.0.1.0Inside_Mktg
10.0.0.0Inside_Eng
172.16.0.0
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-19
Multiple Object Groups in ACLs
172.16.0.0
10.0.0.0
172.30.0.0.50 .51
.1 .2
.1 .2 .5 .4 .3
fw1(config)# show run object-groupobject-group network REMOTES network-object host 172.30.0.50 network-object host 172.30.0.51 object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12object-group network DMZ2 network-object host 192.168.2.10object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp
fw1(config)# access-list aclout permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC
fw1(config)# show run staticstatic(dmz1,outside)192.168.1.10
172.16.0.1 netmask 255.255.255.255static(dmz1,outside)192.168.1.12
172.16.0.2 netmask 255.255.255.255static(dmz2,outside)192.168.2.10
172.16.1.1 netmask 255.255.255.255
DMZ1
172.16.1.0 .1
DMZ2192.168.0.0
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-20
Displaying Configured Object Groups
• Displays object groups in the configuration
fw1# show run object-groupobject-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2
show running-config [all] object-group [protocol | service | network | icmp-type | id obj_grp_id]
firewall(config)#
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-21
Removing Configured Object Groups
• Removes a specific service object group
• Removes all object groups or all object groups of a specific type
fw1(config)# no object-group network ALL_DMZfw1(config)# clear config object-group protocol
no object-group service obj_grp_id {tcp | udp | tcp-udp}
firewall(config)#
clear configure object-group [{protocol | service | icmp-type | network}]
firewall(config)#
• Removes a specific protocol, network, or ICMP-type object group
no object-group protocol | network | icmp-type obj_grp_id
firewall(config)#
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-22
Summary
• You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy.
• The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify.
• Members of an object group are defined in its subcommand mode.
• Hierarchical, or nested, object grouping enables greater flexibility and modularity for specifying entries within ACLs.