Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question on PIX firewall object-group functionality for access-lists summar

Is the following configuration allowed for me to greatly simplify my access-lists in my PIX firewall ?

access-list acl_outside permit udp 203.210.0.64 255.255.255.192 203.92.151.0 255.255.255.128 eq 3386

access-list acl_outside permit udp 203.210.0.64 255.255.255.192 203.92.151.128 255.255.255.224 eq 3386

access-list acl_outside permit udp 203.210.0.64 255.255.255.192 203.92.151.0 255.255.255.128 eq 2123

access-list acl_outside permit udp 203.210.0.64 255.255.255.192 203.92.151.128 255.255.255.224 eq 2123

access-list acl_outside permit udp 203.210.0.64 255.255.255.192 203.92.151.0 255.255.255.128 eq 2152

access-list acl_outside permit udp 203.210.0.64 255.255.255.192 203.92.151.128 255.255.255.224 eq 2152

access-list acl_outside permit udp 203.155.94.0 255.255.255.128 203.92.151.0 255.255.255.128 eq 3386

access-list acl_outside permit udp 203.155.94.0 255.255.255.128 203.92.151.128 255.255.255.224 eq 3386

access-list acl_outside permit udp 203.155.94.0 255.255.255.128 203.92.151.0 255.255.255.128 eq 2123

access-list acl_outside permit udp 203.155.94.0 255.255.255.128 203.92.151.128 255.255.255.224 eq 2123

access-list acl_outside permit udp 203.155.94.0 255.255.255.128 203.92.151.0 255.255.255.128 eq 2152

access-list acl_outside permit udp 203.155.94.0 255.255.255.128 203.92.151.128 255.255.255.224 eq 2152

Step 1: Apply network object-group

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg 3386

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg 3386

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg 2123

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg 2123

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg 2152

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg 2152

Step 2: (Just logical re-arrangement)

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg 3386

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg 2123

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg 2152

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg 3386

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg 2123

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg 2152

Step 3: Apply service object-group

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,p eg object-group GRX_RP-GTP

access-list acl_outside permit udp object-group GRX_RP_Gn KPG Gn,s eg object-group GRX_RP-GTP

where:

1) KPG Gn,p = 203.92.151.0 255.255.255.128

& KPG Gn,s = 203.92.151.128 255.255.255.224

2) object-group network GRX_RP_Gn

network-object 203.210.0.64 255.255.255.192

network-object 203.155.94.0 255.255.255.128

3) object-group service GRX_RP-GTP tcp

port-object eq 3386

port-object eq 2123

port-object eq 2152

2 REPLIES
New Member

Re: Question on PIX firewall object-group functionality for acce

Hi,

your object-group service GRX_RP-GTP is based on tcp, but your access-list is for udp. and if using oject-group for ports in access-list I think you don't have to use 'eq' keyword.

and one suggestion: you can also a make a network obejct-group for your KPG networks, it provides you one line access-list.

so you can write ;

access-list acl_outside oject-group GRX_RP_Gn object-group KPG object-group GRX_RP-GTP

hope this helps

New Member

Re: Question on PIX firewall object-group functionality for acce

Thanks !

147
Views
0
Helpful
2
Replies
CreatePlease to create content