cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2136
Views
0
Helpful
13
Replies

object-group acl example

w.halliday
Level 1
Level 1

Hi

i'm just converting my ACLs to use object-groups and just wanted ti check the ACLs I have written are OK. To start with I have some ACLs of:

access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0

access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0

access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0

access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0

and some object-groups of:

object-group network UK_Network

description subnets in use on UK LAN

network-object 192.x.x.x 255.255.255.0

network-object 192.x.x.x 255.255.255.0

network-object 192.x.x.x 255.255.255.0

network-object 192.x.x.x 255.255.255.0

network-object 10.x.0.0 255.255.0.0

object-group network Canada_Network

network-object 10.x.0.0 255.255.0.0

the access-list I have written to use the object-groups is:

access-list example permit ip object-group UK_Network object-group Canada_Network

does this look right?

thanks

13 Replies 13

Jon Marshall
Hall of Fame
Hall of Fame

Hi

It looks fine other than the 10.x.0.0 entry in the UK_Network object-group. Do you need this.

HTH

Jon

Hi Jon

my fault with the notation of the subnets- should read:

object-group network UK_Network

description subnets in use on UK LAN

network-object 192.x.x.x 255.255.255.0

network-object 192.x.x.x 255.255.255.0

network-object 192.x.x.x 255.255.255.0

network-object 192.x.x.x 255.255.255.0

network-object 10.20.x.x 255.255.0.0

object-group network Canada_Network

network-object 10.1.x.x 255.255.0.0

the network object-group acl's seem easy enough- would it be Ok if I ran some port, protocol and icmp ACLs past you?

Hi

Yes, no problem at all.

Jon

thx

here are some object-groups I've written and i'm juts writing the access-lists currently. Also wondering about best testing and implementation method- presumably one access-list at a time and out of hours!?

object-group protocol proto_grp_1

protocol-object udp

object-group service OWA_AD TCP

description TCP ports for Outlook Web Access and Active Directory

port-object eq ldap

port-object eq www

port-object eq domain

port-object eq https

port-object eq 42

port-object eq 88

port-object eq 135

port-object eq 445

port-object eq 3268

port-object eq 3269

object-group service OWA_AD UDP

description UDP ports for Outlook Web Access and Active Directory

port-object eq ldap

port-object eq domain

port-object eq 42

port-object eq 88

port-object eq 135

port-object eq 445

port-object eq 3268

port-object eq 3269

object-group service External_Addresses TCP

description TCP ports for External Addresses

port-object eq www

port-object eq smtp

port-object eq pop3

object-group service External_Addresses UDP

description UDP ports for External Addresses

port-object eq 10000

object-group protocol TCP

protocol-object tcp

Hi J

my original access-lists are:

access-list if-out permit tcp any host 62.x.x.232 eq www

access-list if-out permit tcp any host 62.x.x.235 eq pop3

access-list if-out permit tcp any host 62.x.x.234 eq smtp

access-list if-out permit tcp any host 62.x.x.234 eq www

access-list if-out permit tcp any host 62.x.x.235 eq www

access-list if-out permit tcp any host 62.x.x.235 eq smtp

new object-groups:

object-group network External_Addresses

description External Addresses

network-object host 62.x.x.234

network-object host 62.x.x.235

updated access-lists:

access-list if-out permit tcp any host 62.x.x.232 eq www

access-list if-out permit tcp any host 62.x.x.235 eq pop3

access-list if-out permit tcp any object-group External_Addresses eq smtp

access-list if-out permit tcp any object-group External_Addresses eq www

how's that look? cheers for help- been sidetracked on to some other stuff unfortunately

Hi

Yes that looks fine to me. I agree that it is best that you test this out of hours just in case you have missed anything.

Let me know how you get on

Jon

Jon thanks.

I have multiple examples of pairs of rules in separate access-lists which reference the same source and destination networks that are both getting hit- how does this work- do I need both lines?

Will

Could you send an exmaple of what you mean.

Jon

yup sure

access-list 1 permit ip object-group UK_Network object-group Canada_Network

access-list 2 permit ip object-group UK_Network object-group Canada_Network

both getting hit- why are both needed- wouldn't just one do the job?

Will

Where are these access-lists applied ie. which interfaces on they applied to and in which direction.

ordinarily you don't need to have the same access-lists but without some context it's difficult to say.

Jon

Hi,

neither are applied with an access-group command. UK_Network is on inside and Canada on outside.

Will

Okay, i'm confused now. How are you getting hits on them if you have not applied them on any interfaces ?

Jon

good- sort of as that had been confusing me too! this config is something I have inherited and I'm just coming to terms with (and the counters have been cleared recently). I've bene taske dwith cleaning up a config which has had numerous people working on it over last few years.

I have two access-lists applied to interfaces as follows:

access-group if-out-owa in interface outside

access-group inside_access_out in interface inside

access-list if-out-owa permit tcp any host 62.x.x.x eq www

access-list if-out-owa permit tcp any host 62.x.x.x eq https

access-list inside_access_out deny ip any host ip_of_some_virus_server

access-list inside_access_out permit ip any any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: