IOS FW object-group network

Unanswered Question
Jan 19th, 2009
User Badges:

with IOS 12.4(20)T, I am able to create network or service objects-groups.

I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.


I didn't found any way to say 'all but my inside networks'.

Then ,I created an object-group containing all public network ranges between private rfc1918 classes:

range 0.0.0.1 9.255.255.255

range 11.0.0.0 169.253.255.255

range 170.0.0.0 172.15.255.255

range 173.0.0.0 192.167.255.255

range 192.169.0.0 223.255.255.255


IOS has nothing to negate a host or a subnet or a network range


I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized

may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
falain Tue, 03/03/2009 - 08:26
User Badges:

I answer to myself since nobody replies.

Is IOS FW banned from security forum ?

May be it is an ASA internal killer product !


I found in release note (supposedly), that object-group range has an implicit /24 netmask.

So impossible to go beyond C class boundaries.

Then, I replaced it with many subnets using my favourite CIDR calculator.

Alex Yeung Thu, 03/05/2009 - 10:33
User Badges:
  • Cisco Employee,

Hi,


Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:


http://forums.cisco.com/eforum/servlet/NetProf?page=Expert_Archive_discussion


To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.


Thanks.


Alex Yeung

falain Fri, 03/06/2009 - 10:15
User Badges:

hi,

thanks for answering.

I suppose you mean 'neq' in service object group (ie tcp neq www).

but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'

Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)

I would have been easier and lighter to negate my private subnets.


I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.

So object-groups must be self-explaining.


Alex Yeung Fri, 03/06/2009 - 17:27
User Badges:
  • Cisco Employee,

Thanks for your feedback. I will take it to our engineering team.


Regards,


Alex Yeung

Actions

This Discussion