December 2008 Archives

Firewall object-groups


For today's lesson, here's a little something about object-groups on Cisco firewalls.

An object-group on a firewall is a way of applying an ACL to a group of IP addresses or networks without having to type them all in each time. Think of an object-group as being a bucket of IPs, and you apply the ACL to the bucket once.

From a 'sh run' from one of my ASA 5505s:
object-group network clients <---- the bucket
network-object host z.z.z.z <--- a single IP in it
network-object x.x.x.0 <---- a network in it
network-object x.x.x.164 <---- another network, etc etc

The object-group must be applied with an ACL. Until that happens, it's just a list of hosts and/or networks.

ciscoasa(config)# access-list acl1 extended permit tcp any object-group clients eq www
ciscoasa(config)# access-list acl1 extended permit tcp any object-group clients eq https

clients is the bucket and you can see the two ACLs allowing port 80 and 443 access to that entire bucket.

ciscoasa# conf t
ciscoasa(config)# object-group network clients <--- modify the clients object-group
ciscoasa(config-network)# network-object host x.x.x.x <---- Add this IP to the group...
ciscoasa(config-network)# network-object host y.y.y.y <---- ...and add this one too

These things are really handy, especially if you're using them to regulate access to something that can change frequently. Learn them, love them, use them.

Network Surgery


Once again, the home network is undergoing some restructuring. Fortunately, this should be the last hardware change for the foreseeable future - all the Linksys and Netopia crap is going away and being replaced by Cisco gear.

The Netopia DSL modem and both WAPs are being replaced by a Cisco 1801W with an ADSL WIC. I love having a port labeled 'ADSLoPOTS' on the back of a piece of hardware. The 1801W is being connected to a Cisco 2950 switch which is being put in place of a Linksys 24-port managed switch. As an aside, Linksys (who somehow got purchased by Cisco a while back), can't make network hardware to save their lives. A brand-new, out of the box switch lasted about three months until we had the nerve to reboot it. It never came back up.

Anyway, we're also trading out iptables and an IP Cop box in favor of an ASA 5505. Since I have another ASA 5505 on my desk at work (as well as a PIX 501, but that's just to play with) I figure I'll set up a split-tunnel site-to-site VPN connection.

Ah Cisco, where would I be without you? Out with a girlfriend, that's where.

But seriously, there's a lot of learning to be done, specifically translating the information I have regarding my DSL connection (the VCI, VPI, etc) into the proper IOS commands. Sadly, this is a one-day weekend for me so I'm kind of pressed for time. I'm working on Christmas Day, so I'm hoping the workload will allow me to do some fiddling.

Le Fail

| | Comments (1)


About this Archive

This page is an archive of entries from December 2008 listed from newest to oldest.

November 2008 is the previous archive.

January 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.