newbie question : object and object group

Unanswered Question
Aug 30th, 2010

hi, i am quite new to ASA firewall

just wanna ask is the below statement correct

object network users
subnet 10.10.10.0 255.255.255.0
description vlan 10 Users

object network IP_Phone
subnet 10.10.20.0 255.255.255.0
description vlan20 IP Phone

object-group network Inside_Network
network-object object users
network-object object IP_Phone

for the object-group network Network_Mgnt, the network-object object users statement is it equivalence for network-object 10.10.10.0 255.255.255.0?

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Mon, 08/30/2010 - 19:53

Hello,

Yes, you are correct. If you look at the output below:

access-list test line 1 extended permit ip any object-group Inside_Network

access-list test line 1 extended permit ip any 10.10.10.0 255.255.255.0

access-list test line 1 extended permit ip any 10.10.20.0 255.255.255.0

The first line is the one that we configure in the firewall and it expands

to the next two lines when building the ACE.

Hope this helps.

Regards,

NT

yong khang NG Tue, 08/31/2010 - 00:14

hi, about some design quetion

basically my network topology look like the diagram illustrated.

a. outside interface facing to public internet.

b. inside interface
- physically is connect to core switch
- logically this interface will have sub-interface for different zone
- CSC module physically connect to core switch, which is fall to vlan200 management

c. MISC

- the switch will doing inter-vlan routing
- one email server reside in vlan100 server (10.10.100.25 --> 202.152.87.25), which need to do NAT for this.

i try to use the object and object-group to make it categorize (shown in diagram)

my question is:

1. so i need to explicitly create the ACL fot outside remote access?
is it the correct way for my ACL?
example: access-list mgnt_zone_access_in extended permit ip any any

2. so i can apply either object or object-group on the ACL or NAT?

3.  beside email server know gonna have static NAT, should i do any NAT for the network? (well, your suggest are welcome, what-if you meet this kind of topology, what would you do..)

4. what does it mean for this NAT+ACL hybrid?
example : access-list mgtn_zone_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 10.10.10.0 255.255.255.0

thanks

Attachment: 

Actions

This Discussion