Creating object-groups on a pix 515 ios 7.1

phillips.w · ‎03-31-2006

I am attempting to create object-group to make the management of the access list easier. I am planning on using network, protocol, services and icmp-type.

Here is one of the object containers:

object-group protocol tunnel-protocol

description Protocols allowed across VPN Tunnel to Tiffany

Protocol-object ip

Protocol-object udp

Protocol-object tcp

Protocol-object icmp

object-group service tunnel-service

description Services allowed across VPN Tunnel to Tiffany

port-object eq ssh

port-object eq www

port-object eq https

port-object eq 3690

port-object eq 3306

object-group network vpn_philippines

description Networks allowed for VPN Tunnel Philippines Side

network-object host 203.82.38.76

network-object host 203.82.38.77

network-object host 203.82.38.78

exi

object-group network vpn_tiffany

description Networks allowed for VPN Tunnel Tiffany Side

network-object host 70.169.128.236

network-object host 70.169.128.237

network-object host 70.169.128.238

exi

My concern is applying these and if they are configured correctly

Patrick Laidlaw · ‎04-01-2006

hello

Your object groups look fine but I think your going a little over board using the protocl group. Usually people use one group for ip addys/networks and maybe a services group in a rule.

From what I see your going to use this for vpn matching or for the access-list inside.

Don't get to over zealous with your groups if there is no need.

Patrick

phillips.w · ‎04-02-2006

Thanks for the help. I will remove the protocols and enter one line in the acl for each.

Thanks