06-13-2007 05:49 AM - edited 03-11-2019 03:29 AM
Hi
i'm just converting my ACLs to use object-groups and just wanted ti check the ACLs I have written are OK. To start with I have some ACLs of:
access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0
access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0
access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0
access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0
and some object-groups of:
object-group network UK_Network
description subnets in use on UK LAN
network-object 192.x.x.x 255.255.255.0
network-object 192.x.x.x 255.255.255.0
network-object 192.x.x.x 255.255.255.0
network-object 192.x.x.x 255.255.255.0
network-object 10.x.0.0 255.255.0.0
object-group network Canada_Network
network-object 10.x.0.0 255.255.0.0
the access-list I have written to use the object-groups is:
access-list example permit ip object-group UK_Network object-group Canada_Network
does this look right?
thanks
06-13-2007 06:39 AM
Hi
It looks fine other than the 10.x.0.0 entry in the UK_Network object-group. Do you need this.
HTH
Jon
06-13-2007 06:55 AM
Hi Jon
my fault with the notation of the subnets- should read:
object-group network UK_Network
description subnets in use on UK LAN
network-object 192.x.x.x 255.255.255.0
network-object 192.x.x.x 255.255.255.0
network-object 192.x.x.x 255.255.255.0
network-object 192.x.x.x 255.255.255.0
network-object 10.20.x.x 255.255.0.0
object-group network Canada_Network
network-object 10.1.x.x 255.255.0.0
the network object-group acl's seem easy enough- would it be Ok if I ran some port, protocol and icmp ACLs past you?
06-13-2007 06:59 AM
Hi
Yes, no problem at all.
Jon
06-13-2007 07:07 AM
thx
here are some object-groups I've written and i'm juts writing the access-lists currently. Also wondering about best testing and implementation method- presumably one access-list at a time and out of hours!?
object-group protocol proto_grp_1
protocol-object udp
object-group service OWA_AD TCP
description TCP ports for Outlook Web Access and Active Directory
port-object eq ldap
port-object eq www
port-object eq domain
port-object eq https
port-object eq 42
port-object eq 88
port-object eq 135
port-object eq 445
port-object eq 3268
port-object eq 3269
object-group service OWA_AD UDP
description UDP ports for Outlook Web Access and Active Directory
port-object eq ldap
port-object eq domain
port-object eq 42
port-object eq 88
port-object eq 135
port-object eq 445
port-object eq 3268
port-object eq 3269
object-group service External_Addresses TCP
description TCP ports for External Addresses
port-object eq www
port-object eq smtp
port-object eq pop3
object-group service External_Addresses UDP
description UDP ports for External Addresses
port-object eq 10000
object-group protocol TCP
protocol-object tcp
06-13-2007 07:52 AM
Hi J
my original access-lists are:
access-list if-out permit tcp any host 62.x.x.232 eq www
access-list if-out permit tcp any host 62.x.x.235 eq pop3
access-list if-out permit tcp any host 62.x.x.234 eq smtp
access-list if-out permit tcp any host 62.x.x.234 eq www
access-list if-out permit tcp any host 62.x.x.235 eq www
access-list if-out permit tcp any host 62.x.x.235 eq smtp
new object-groups:
object-group network External_Addresses
description External Addresses
network-object host 62.x.x.234
network-object host 62.x.x.235
updated access-lists:
access-list if-out permit tcp any host 62.x.x.232 eq www
access-list if-out permit tcp any host 62.x.x.235 eq pop3
access-list if-out permit tcp any object-group External_Addresses eq smtp
access-list if-out permit tcp any object-group External_Addresses eq www
how's that look? cheers for help- been sidetracked on to some other stuff unfortunately
06-13-2007 11:20 PM
Hi
Yes that looks fine to me. I agree that it is best that you test this out of hours just in case you have missed anything.
Let me know how you get on
Jon
06-14-2007 12:04 AM
Jon thanks.
I have multiple examples of pairs of rules in separate access-lists which reference the same source and destination networks that are both getting hit- how does this work- do I need both lines?
06-14-2007 12:09 AM
Will
Could you send an exmaple of what you mean.
Jon
06-14-2007 12:39 AM
yup sure
access-list 1 permit ip object-group UK_Network object-group Canada_Network
access-list 2 permit ip object-group UK_Network object-group Canada_Network
both getting hit- why are both needed- wouldn't just one do the job?
06-14-2007 01:03 AM
Will
Where are these access-lists applied ie. which interfaces on they applied to and in which direction.
ordinarily you don't need to have the same access-lists but without some context it's difficult to say.
Jon
06-14-2007 02:37 AM
Hi,
neither are applied with an access-group command. UK_Network is on inside and Canada on outside.
06-14-2007 02:50 AM
Will
Okay, i'm confused now. How are you getting hits on them if you have not applied them on any interfaces ?
Jon
06-14-2007 07:32 AM
good- sort of as that had been confusing me too! this config is something I have inherited and I'm just coming to terms with (and the counters have been cleared recently). I've bene taske dwith cleaning up a config which has had numerous people working on it over last few years.
I have two access-lists applied to interfaces as follows:
access-group if-out-owa in interface outside
access-group inside_access_out in interface inside
access-list if-out-owa permit tcp any host 62.x.x.x eq www
access-list if-out-owa permit tcp any host 62.x.x.x eq https
access-list inside_access_out deny ip any host ip_of_some_virus_server
access-list inside_access_out permit ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: