01-19-2009 10:36 AM - edited 03-11-2019 07:39 AM
with IOS 12.4(20)T, I am able to create network or service objects-groups.
I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.
I didn't found any way to say 'all but my inside networks'.
Then ,I created an object-group containing all public network ranges between private rfc1918 classes:
range 0.0.0.1 9.255.255.255
range 11.0.0.0 169.253.255.255
range 170.0.0.0 172.15.255.255
range 173.0.0.0 192.167.255.255
range 192.169.0.0 223.255.255.255
IOS has nothing to negate a host or a subnet or a network range
I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized
may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.
03-03-2009 08:26 AM
I answer to myself since nobody replies.
Is IOS FW banned from security forum ?
May be it is an ASA internal killer product !
I found in release note (supposedly), that object-group range has an implicit /24 netmask.
So impossible to go beyond C class boundaries.
Then, I replaced it with many subnets using my favourite CIDR calculator.
03-05-2009 10:33 AM
Hi,
Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:
http://forums.cisco.com/eforum/servlet/NetProf?page=Expert_Archive_discussion
To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.
Thanks.
Alex Yeung
03-06-2009 10:15 AM
hi,
thanks for answering.
I suppose you mean 'neq' in service object group (ie tcp neq www).
but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'
Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)
I would have been easier and lighter to negate my private subnets.
I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.
So object-groups must be self-explaining.
03-06-2009 05:27 PM
Thanks for your feedback. I will take it to our engineering team.
Regards,
Alex Yeung
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: