For today's lesson, here's a little something about object-groups on Cisco firewalls.
An object-group on a firewall is a way of applying an ACL to a group of IP addresses or networks without having to type them all in each time. Think of an object-group as being a bucket of IPs, and you apply the ACL to the bucket once.
From a 'sh run' from one of my ASA 5505s:
object-group network clients <---- the bucket
network-object host z.z.z.z <--- a single IP in it
network-object x.x.x.0 255.255.255.254 <---- a network in it
network-object x.x.x.164 255.255.255.254 <---- another network, etc etc
The object-group must be applied with an ACL. Until that happens, it's just a list of hosts and/or networks.
ciscoasa(config)# access-list acl1 extended permit tcp any object-group clients eq www
ciscoasa(config)# access-list acl1 extended permit tcp any object-group clients eq https
clients is the bucket and you can see the two ACLs allowing port 80 and 443 access to that entire bucket.
ciscoasa# conf t
ciscoasa(config)# object-group network clients <--- modify the clients object-group
ciscoasa(config-network)# network-object host x.x.x.x <---- Add this IP to the group...
ciscoasa(config-network)# network-object host y.y.y.y <---- ...and add this one too
These things are really handy, especially if you're using them to regulate access to something that can change frequently. Learn them, love them, use them.
