03-18-2003 12:43 PM - edited 03-09-2019 02:34 AM
I have a question regarding an object group I created and adding it to an acl.
I would like to turn this acl into an object-group:
access-list permit_out permit tcp host <proxy_ip_address> any eq domain
access-list permit_out permit udp host <proxy_private_ip> any eq domain
access-list permit_out permit tcp host <proxy_private_ip> any eq www
access-list permit_out permit tcp host <proxy_private_ip> any eq https
access-list permit_out permit tcp host <proxy_private_ip> any eq pop3
access-list permit_out permit tcp host <proxy_private_ip> any eq ftp
access-list permit_out permit tcp host <proxy_private_ip> any eq nntp
Here's what I did
example:
pix(config)# object-group service proxy tcp-udp
pix(config-service)# port-object eq 119
pix(config-service)# port-object eq 21
pix(config-service)# port-object eq 110
pix(config-service)# port-object eq 80
pix(config-service)# port-object eq 443
pix(config-service)# port-object eq 53 (I assume this takes care of dns udp and tcp)
Now is it possible to use this object group with an inside access list???
Ex.
access-list permit-out permit ip host <proxy_private_ip> object-group proxy
This ACL doesn't work. I think because the protocol being used is incorrect???
Should I create a seperate object-group for the host using a network-object and specify the proxy?
Ex.
pix(config)# object-group network proxy1
pix(config)# network-object host <proxy_private_ip>
Then create 2 different ACLs?
Thanks in advance....
03-18-2003 02:50 PM
Do you get a syntax error when ypou add that command? If so, you left out an "any" in it:
access-list permit-out permit ip host
If not, what do you mean by "it doesn't work"? What do you get if you do a "sho access-list permit-out", what are the hit counters on each line? Does no traffic go out, or does all traffic go out?
03-19-2003 08:40 AM
I will try to explain a little better. Yesterday I was in rush.
This is what I have currently:
access-list permit_out permit tcp host
access-list permit_out permit udp host
access-list permit_out permit tcp host
access-list permit_out permit tcp host
access-list permit_out permit tcp host
access-list permit_out permit tcp host
access-list permit_out permit tcp host
This is the object groups I have created:
object-group network proxy_server
network-object host
object-group service proxy_server_services tcp-udp
description: services allowed to exit the proxy server
port-object eq 21
port-object eq 119
port-object eq 110
port-object eq 53
port-object eq 80
port-object eq 443
How do I get that into an ACL?
Basically I want only the following services (proxy_server_services) allowed from the inside network host (proxy_server) out to the Internet.
I think there might be a problem with the protocol (dns using tcp-udp) and the access list?? Not sure. This what I get when I try ACLs.
access-list permit_out permit ip object-group proxy_server object-group proxy_server_services
ERROR: specified object group
Then reverse the order of the ACL:
access-list permit_out permit ip object-group proxy_server_services object-group proxy_server
ERROR: specified object group
Adding the keyword
Thanks in advance
03-20-2003 03:01 PM
As I said, you left out an "any" keyword, plus I just noticed you're defining an IP access-list but putting TCP/UDP ports in it, this won't work either. The correct commands will be:
> access-list permit_out permit tcp object-group proxy_server any object-group proxy_server_services
> access-list permit_out permit udp object-group proxy_server any object-group proxy_server_services
If you like, you cna also combine the tcp and udp into another object group of type "protocol", so you'll have:
> object-group protocol prots
> protocol-object tcp
> protocol-object udp
then your ACL will be:
> access-list permit_out permit object-group prots object-group proxy_server any object-group proxy_server_services
Object group examples are here:
03-21-2003 09:25 AM
O.k. that worked. This is what I did:
I created these two access lists from the below object-group commands
access-list permit_out permit tcp object-group proxy_server any object-group proxy_tcp_srvc
access-list permit_out permit udp object-group proxy_server any object-group proxy_udp_srvc
object-group network proxy_server
network-object host
object-group service proxy_tcp_srvc tcp
description TCP Services allowed from the Proxy Server
port-object eq ftp
port-object eq nntp
port-object eq pop3
port-object eq www
port-object eq https
port-object eq domain
object-group service proxy_udp_srvc udp
description UDP Services allowed from the Proxy Server
port-object eq domain
Basically saying (educational purposes)
Allow the following services to exit the firewall from host
ftp, dns, pop3, news, web, https (hotmail, yahoo, etc).
Thanks for the help.....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: