Objec-group help

adisegna · ‎03-18-2003

I have a question regarding an object group I created and adding it to an acl.

I would like to turn this acl into an object-group:

access-list permit_out permit tcp host <proxy_ip_address> any eq domain

access-list permit_out permit udp host <proxy_private_ip> any eq domain

access-list permit_out permit tcp host <proxy_private_ip> any eq www

access-list permit_out permit tcp host <proxy_private_ip> any eq https

access-list permit_out permit tcp host <proxy_private_ip> any eq pop3

access-list permit_out permit tcp host <proxy_private_ip> any eq ftp

access-list permit_out permit tcp host <proxy_private_ip> any eq nntp

Here's what I did

example:

pix(config)# object-group service proxy tcp-udp

pix(config-service)# port-object eq 119

pix(config-service)# port-object eq 21

pix(config-service)# port-object eq 110

pix(config-service)# port-object eq 80

pix(config-service)# port-object eq 443

pix(config-service)# port-object eq 53 (I assume this takes care of dns udp and tcp)

Now is it possible to use this object group with an inside access list???

Ex.

access-list permit-out permit ip host <proxy_private_ip> object-group proxy

This ACL doesn't work. I think because the protocol being used is incorrect???

Should I create a seperate object-group for the host using a network-object and specify the proxy?

Ex.

pix(config)# object-group network proxy1

pix(config)# network-object host <proxy_private_ip>

Then create 2 different ACLs?

Thanks in advance....

gfullage · ‎03-18-2003

Do you get a syntax error when ypou add that command? If so, you left out an "any" in it:

access-list permit-out permit ip host any object-group proxy

If not, what do you mean by "it doesn't work"? What do you get if you do a "sho access-list permit-out", what are the hit counters on each line? Does no traffic go out, or does all traffic go out?

adisegna · ‎03-19-2003

I will try to explain a little better. Yesterday I was in rush.

This is what I have currently:

access-list permit_out permit tcp host any eq domain

access-list permit_out permit udp host any eq domain

access-list permit_out permit tcp host any eq www

access-list permit_out permit tcp host any eq https

access-list permit_out permit tcp host any eq pop3

access-list permit_out permit tcp host any eq ftp

access-list permit_out permit tcp host any eq nntp

= the same internal Host IP Address. I want to consolidate above into object groups.

This is the object groups I have created:

object-group network proxy_server

network-object host

object-group service proxy_server_services tcp-udp

description: services allowed to exit the proxy server

port-object eq 21

port-object eq 119

port-object eq 110

port-object eq 53

port-object eq 80

port-object eq 443

How do I get that into an ACL?

Basically I want only the following services (proxy_server_services) allowed from the inside network host (proxy_server) out to the Internet.

I think there might be a problem with the protocol (dns using tcp-udp) and the access list?? Not sure. This what I get when I try ACLs.

access-list permit_out permit ip object-group proxy_server object-group proxy_server_services

ERROR: specified object group has wrong type; expecting network type

Then reverse the order of the ACL:

access-list permit_out permit ip object-group proxy_server_services object-group proxy_server

ERROR: specified object group has wrong type; expecting network type

Adding the keyword to these lists produces the same error.

Thanks in advance

gfullage · ‎03-20-2003

As I said, you left out an "any" keyword, plus I just noticed you're defining an IP access-list but putting TCP/UDP ports in it, this won't work either. The correct commands will be:

> access-list permit_out permit tcp object-group proxy_server any object-group proxy_server_services

> access-list permit_out permit udp object-group proxy_server any object-group proxy_server_services

If you like, you cna also combine the tcp and udp into another object group of type "protocol", so you'll have:

> object-group protocol prots

> protocol-object tcp

> protocol-object udp

then your ACL will be:

> access-list permit_out permit object-group prots object-group proxy_server any object-group proxy_server_services

Object group examples are here:

http://www.cisco.com/warp/public/707/pix_obj_grp.html

adisegna · ‎03-21-2003

O.k. that worked. This is what I did:

I created these two access lists from the below object-group commands

access-list permit_out permit tcp object-group proxy_server any object-group proxy_tcp_srvc

access-list permit_out permit udp object-group proxy_server any object-group proxy_udp_srvc

object-group network proxy_server

network-object host

object-group service proxy_tcp_srvc tcp

description TCP Services allowed from the Proxy Server

port-object eq ftp

port-object eq nntp

port-object eq pop3

port-object eq www

port-object eq https

port-object eq domain

object-group service proxy_udp_srvc udp

description UDP Services allowed from the Proxy Server

port-object eq domain

Basically saying (educational purposes)

Allow the following services to exit the firewall from host

ftp, dns, pop3, news, web, https (hotmail, yahoo, etc).

Thanks for the help.....