Firewall object-groups

|

For today's lesson, here's a little something about object-groups on Cisco firewalls.

An object-group on a firewall is a way of applying an ACL to a group of IP addresses or networks without having to type them all in each time. Think of an object-group as being a bucket of IPs, and you apply the ACL to the bucket once.

From a 'sh run' from one of my ASA 5505s:
object-group network clients <---- the bucket
network-object host z.z.z.z <--- a single IP in it
network-object x.x.x.0 255.255.255.254 <---- a network in it
network-object x.x.x.164 255.255.255.254 <---- another network, etc etc

The object-group must be applied with an ACL. Until that happens, it's just a list of hosts and/or networks.

ciscoasa(config)# access-list acl1 extended permit tcp any object-group clients eq www
ciscoasa(config)# access-list acl1 extended permit tcp any object-group clients eq https

clients is the bucket and you can see the two ACLs allowing port 80 and 443 access to that entire bucket.

ciscoasa# conf t
ciscoasa(config)# object-group network clients <--- modify the clients object-group
ciscoasa(config-network)# network-object host x.x.x.x <---- Add this IP to the group...
ciscoasa(config-network)# network-object host y.y.y.y <---- ...and add this one too

These things are really handy, especially if you're using them to regulate access to something that can change frequently. Learn them, love them, use them.

About this Entry

This page contains a single entry by Philip Ratzsch published on December 27, 2008 7:22 PM.

Network Surgery was the previous entry in this blog.

Ah, load balancers is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.