cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1137
Views
0
Helpful
5
Replies

Object groups - Best practise and limitations

jilahbg
Level 1
Level 1

Hello

Lets say that I want to permit this in an access-list:

source:

192.168.1.0/24

192.168.2.0/24

destination:

10.0.1.0/24

10.0.2.0/24

ports:

tcp/22

tcp/23

udp/53

udp/555

icmp echo (ping)

With object-grouping i should solve it like this:

object-group network my-source

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

object-group network my-dest

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

object-group service my-ports-TCP tcp

port-object eq 22

port-object eq 23

object-group service my-ports-UDP udp

port-object eq 53

port-object eq 555

access-list acl permit tcp object-group my-so?rce object-group my-dest object-group my-ports-TCP

access-list acl permit udp object-group my-so?rce object-group my-dest object-group my-ports-UDP

access-list acl permit icmp object-group my-so?rce object-group my-dest echo

My question is: Is there a better way to do it in Pix/ASA v7.x? I think there is a great limitation in the fact that tcp, udp and icmp traffic cannot be grouped into the same service object-group.

If I could place tcp/22, tcp/23, udp/53, udp555 and icmp echo (0/8) into the same object-group the acl should be shortened into one single line. This is possible in other brands of firewalls...

Please comment!

Best regards

Jimmy

5 Replies 5

suschoud
Cisco Employee
Cisco Employee

Use the protocol object group in order to specify a protocol(s) that you want to define in an ACL or conduit. You can use this object group as the protocol type only in the associated ACL or conduit. Note that the allowed protocols for this object group are only the standard PIX protocol names allowed in an access-list or conduit command, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Generic Routing Encapsulation (GRE), Enhanced Interior Gateway Routing Protocol (EIGRP), Encapsulating Security Payload (ESP), Authentication Header (AH), and so on. Protocols that sit on top of TCP or UDP cannot be specified with a protocol object group. Instead, these protocols use an object group, as shown in this example.

(config)# object-group protocol proto_grp_1

(config-protocol)# protocol-object udp

(config-protocol)# protocol-object tcp

(config-protocol)# protocol-object esp

(config-protocol)# exit

(config)# access-list 102 permit object-group proto_grp_1 any any

_________

i guess u got it.

You mean that there is no easier/better way to do it than what I wrote? I am not interrested in grouping different IP protocols, but grouping different tcp and udp ports in one single group.

Regards

Jimmy

if you group differnet protocols together,you can setup different tcp/udp/icmp ports together too.

the limitation :

protocols: tcp/udp/icmp

ports : 23/24/25

then access-list will open these ports for all the protocols which you define in protocol object group.

yes,there's no better way of doing this.

i suggested a workaround.

sushil

cisco tac

yenaungoo
Level 1
Level 1

Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)

My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group. Any best practise for that?

Thanks ahead,

Q. What is the maximum number of ACLs that can be configured on the ASA?

A. There is no defined limit for the number of ACLs that can be configured on the ASA. It depends on the memory present in the ASA.

The same applies to object-group settings

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: