03-23-2007 05:10 AM - edited 03-11-2019 02:51 AM
Hello
Lets say that I want to permit this in an access-list:
source:
192.168.1.0/24
192.168.2.0/24
destination:
10.0.1.0/24
10.0.2.0/24
ports:
tcp/22
tcp/23
udp/53
udp/555
icmp echo (ping)
With object-grouping i should solve it like this:
object-group network my-source
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network my-dest
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
object-group service my-ports-TCP tcp
port-object eq 22
port-object eq 23
object-group service my-ports-UDP udp
port-object eq 53
port-object eq 555
access-list acl permit tcp object-group my-so?rce object-group my-dest object-group my-ports-TCP
access-list acl permit udp object-group my-so?rce object-group my-dest object-group my-ports-UDP
access-list acl permit icmp object-group my-so?rce object-group my-dest echo
My question is: Is there a better way to do it in Pix/ASA v7.x? I think there is a great limitation in the fact that tcp, udp and icmp traffic cannot be grouped into the same service object-group.
If I could place tcp/22, tcp/23, udp/53, udp555 and icmp echo (0/8) into the same object-group the acl should be shortened into one single line. This is possible in other brands of firewalls...
Please comment!
Best regards
Jimmy
03-23-2007 07:25 AM
Use the protocol object group in order to specify a protocol(s) that you want to define in an ACL or conduit. You can use this object group as the protocol type only in the associated ACL or conduit. Note that the allowed protocols for this object group are only the standard PIX protocol names allowed in an access-list or conduit command, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Generic Routing Encapsulation (GRE), Enhanced Interior Gateway Routing Protocol (EIGRP), Encapsulating Security Payload (ESP), Authentication Header (AH), and so on. Protocols that sit on top of TCP or UDP cannot be specified with a protocol object group. Instead, these protocols use an object group, as shown in this example.
(config)# object-group protocol proto_grp_1
(config-protocol)# protocol-object udp
(config-protocol)# protocol-object tcp
(config-protocol)# protocol-object esp
(config-protocol)# exit
(config)# access-list 102 permit object-group proto_grp_1 any any
_________
i guess u got it.
03-23-2007 07:52 AM
You mean that there is no easier/better way to do it than what I wrote? I am not interrested in grouping different IP protocols, but grouping different tcp and udp ports in one single group.
Regards
Jimmy
03-23-2007 07:57 AM
if you group differnet protocols together,you can setup different tcp/udp/icmp ports together too.
the limitation :
protocols: tcp/udp/icmp
ports : 23/24/25
then access-list will open these ports for all the protocols which you define in protocol object group.
yes,there's no better way of doing this.
i suggested a workaround.
sushil
cisco tac
11-13-2013 07:27 PM
Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)
My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group. Any best practise for that?
Thanks ahead,
11-13-2013 08:00 PM
A. There is no defined limit for the number of ACLs that can be configured on the ASA. It depends on the memory present in the ASA.
The same applies to object-group settings
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: