1 / 13

Knowledge Nugget ASA Object Grouping

Knowledge Nugget ASA Object Grouping. Bogdan Doinea Assoc. Technical Manager CEE&RCIS bdoinea@cisco.com Cisco Networking Academy. ACL Scalability Issues What is Object grouping? Types of Object grouping. ASA Object Grouping. ACL Scalability Issues.

wittman
Télécharger la présentation

Knowledge Nugget ASA Object Grouping

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Knowledge NuggetASA Object Grouping Bogdan Doinea Assoc. Technical Manager CEE&RCIS bdoinea@cisco.com Cisco Networking Academy

  2. ACL Scalability Issues What is Object grouping? Types of Object grouping ASA Object Grouping

  3. ACL Scalability Issues • A firewall will naturally have many ACLs • The only way to permit traffic from a lower security level to a higher one is through and ACL • Problem: ACLs become repetitive and very big asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.8 eq http asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.8 eq https asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.8 eq ftp asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq http asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq https asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq ftp asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.10 eq http asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.10 eq https asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.10 eq ftp

  4. Object grouping • Idea: recognizing patters in ACLs and grouping those ACL entries within an object • Objective: making ACLs shorter and easier to read • Objects can be created around: • Protocol (TCP, UDP) • Networks (your inside networks) • Services (the services in the DMZ) • ICMP ( echo_request+echo_reply = ping) • After creating object groups, they can be directly tied to ACLs asa1(config)# access-list OUTSIDE permit tcp any object-group DMZ_SERVERS object-group DMZ_SERVICES

  5. Steps in configuring Object Grouping Step 1: Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Step 2: In subcommand mode, define the members of the object group. Step 3: (Optional) Use the description subcommand to describe the object group. Step 4: Use the exit or quit command to return to configuration mode. Step 5: (Optional) Use the show run object-group command to verify that the object group has been configured successfully. Step 6: Apply the object group to the access-list command. Step 7: (Optional) Use the show access-list command to display the expanded ACL entries. 

  6. Configuring Network Object Groups 10.0.0.0 /24 192.168.2.0 Internet 10.0.1.0/24 • object-group network obj_grp_id • Assigns a name to the group and enables the network subcommand mode • network-object host host_addr | host_name • Adds a host to the network object group asa1(config)# object-group network INSIDE asa1(config-network)# network-object host 10.0.0.1 asa1(config-network)# network-object host 10.0.0.2

  7. Configuring Service Object Groups • HOST_SERVICES • HTTP • HTTPS • FTP 192.168.2.0 10.0.0.0 /24 Internet 10.0.1.0/24 • object-group service obj_grp_id {tcp | udp | tcp-udp} • Assigns a name to a service group and enables the service subcommand mode • port-object {eq service | range begin_service end_service} • Adds a port object to a service object group asa1(config)# object-group service HOST_SERVICES tcp asa1(config-service)# port-object eq http asa1(config-service)# port-object eq https asa1(config-service)# port-object eq ftp asa1(config-service)# port-object range 137 139

  8. Configuring ICMP-Type Object Groups 192.168.2.0 Internet 10.0.0.0 /24 • Ping • Echo • Echo-reply 10.0.1.0/24 • object-group icmp-type obj_grp_id • Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode • icmp-object icmp-type • Adds an ICMP message type to an ICMP-type object group asa1(config)# object-group icmp-type PING asa1(config-icmp)# icmp-object echo asa1(config-icmp)# icmp-object echo-reply

  9. Configuring Protocol Object Groups • INSIDE_PROTOCOLS • TCP • UDP 192.168.2.0 Internet 10.0.0.0 /24 10.0.1.0/24 • object-group protocol obj_grp_id • Assigns a name to a protocol group and enables the protocol subcommand mode • protocol-object protocol • Adds a protocol to a protocol object group asa1(config)# object-group protocol INSIDE_PROTOCOLS asa1(config-protocol)#protocol-object tcp asa1(config-protocol)#protocol-object udp

  10. Applying the Object to the ACL 192.168.1.0 Internet 10.0.0.0 /24 10.0.1.0/24 • access-list id [line line-number] [extended] {deny | permit}{protocol | object-group protocol_obj_grp_id}{host sip | sipsmask | interface ifc_name | object-group network_obj_grp_id | any}[operatorport [port]| object-group service_obj_grp_id]{host dip | dipdmask | interface ifc_name | object-group network_obj_grp_id | any}[operatorport [port] | object-group service_obj_grp_id ][log [disable] | [level] |[default] | [interval secs]][inactive | time-range time_range_name] asa1(config)# access-list INSIDE permit tcp object-group INSIDE_ENG any object-group HOST_SERVICES • Permits outbound engineering HTTP, HTTPS, and FTP traffic

  11. Display Object Groups • show running-config object-group [protocol | service | network | icmp-type | id obj_grp_id] • Displays object groups in the configuration asa1# show run object-group object-group network INSIDE network-object host 10.0.0.1 network-object host 10.0.0.2   object-group service HOST_SERVICES tcp port-object eq www port-object eq https port-object eq ftp port-object range 137 netbios-ssn object-group icmp-type PING icmp-object echo icmp-object echo-reply

  12. Useful links • Join the Global Instructor Community • http://community.netacad.net • Check out more knowledge nuggets • http://lms.netacad.net/course/view.php?id=3101 • ASA Essentials Series • The less known world of IPv6 – Tunneling, Autoconfigure, Routing • DHCP Series • PPPoE – combining PPP and Ethernet • Netacad Maintenance • Advanced VLAN Troubleshooting

More Related