Professional Documents
Culture Documents
Object Grouping
172.16.0.0
Web .1
.2
Web
.3
Web
Services/
Protocols Networks/Hosts
ICMP
Complete the following steps to create object groups and use them
in your configuration:
• Step 1: Use the object-group command to enter the appropriate
subcommand mode for the type of group you want to configure.
• Task 2: In subcommand mode, define the members of the object group.
• Task 3: (Optional) Use the description subcommand to describe the object group.
• Task 4: Use the exit or quit command to return to configuration mode.
• Task 5: (Optional) Use the show object-group command to verify that the
object group has been configured successfully.
• Task 6: Apply the object group to the access-list command.
• Task 7: (Optional) Use the show access-list command to display the expanded
ACL entries.
Inside_Eng
192.168.0.0
Internet
Inside_Mktg
firewall(config)# 10.0.1.0/24
Inside_Mktg
10.0.1.0/24
firewall(config)#
object-group service obj_grp_id {tcp | udp | tcp-udp}
• Assigns a name to a service group and enables the
service subcommand mode
fw1(config)# object-group service Host_Services tcp
fw1(config-service)# port-object eq http
fw1(config-service)# port-object eq https
fw1(config-service)# port-object eq ftp
192.168.0.0
Internet 10.0.0.0 /24
Inside_Mktg
firewall(config)# 10.0.1.0/24
access-list id [line line-number] [extended] {deny | permit}
{protocol | object-group protocol_obj_grp_id}{host sip | sip mask |
interface ifc_name | object-group network_obj_grp_id | any}{host
dip | dip mask | interface ifc_name | object-group
network_obj_grp_id | any}[log [[level] [interval secs] | disable |
default]][inactive | time-range time_range_name]
Inside_Eng
192.168.0.0
Internet 10.0.0.0 /24
Ping Inside_Mktg
• Echo
• Echo-reply
10.0.1.0/24
firewall(config)#
object-group icmp-type obj_grp_id
• Assigns a name to an ICMP-type group and
enables the ICMP-type subcommand mode
fw1(config)# object-group icmp-type PING
fw1(config-icmp)# icmp-object echo
fw1(config-icmp)# icmp-object echo-reply
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-11
Nested Object Groups
Internet
172.16.0.0
• Group objects:
Inside_Eng, Inside_Mktg DMZ
• Nested groups:
Inside_Networks
• Nested group applied
to ACL Inside_Eng Inside_Mktg
10.0.0.0 10.0.1.0
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-13
Configuring Nested Object Groups
Internet
groups
– Inside_Eng DMZ
– Inside_Mktg
• Allow inside hosts
outbound
Inside_Eng Inside_Mktg
– HTTP 10.0.0.0 10.0.1.0
– HTTPS
– FTP
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-15
group-object Command
Inside_Eng Inside_Mktg
10.0.0.0 10.0.1.0
Inside_Networks
firewall(config-network)#
group-object obj_group_id
Internet
172.16.0.0
Inside_Eng Inside_Mktg
10.0.0.0 10.0.1.0
Internet
• Allow all inside
hosts outbound
172.16.0.0
– HTTP
– HTTPS DMZ
– FTP
Inside_Networks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-18
Multiple Object Groups in ACLs
10.0.0.0
.1 .2 .3 .4 .5
firewall(config)#
show running-config [all] object-group [protocol |
service | network | icmp-type | id obj_grp_id]
• Displays object groups in the configuration
Web/FTP
.50
172.26.26.0
.150
Pods 1–5 .1 .1 Pods 6–10
.2 .2
.2 .1 .1 .2
“bastionhost”: Security Security “bastionhost”:
Web/FTP Appliance Appliance Web/FTP
172.16.P.0 172.16.Q.0
.1 .1
10.0.P.0 10.0.Q.0
.100 .100
RTS RTS
Web/FTP Web/FTP
Local: 10.0.P.11 CSACS CSACS Local: 10.0.Q.11
Student PC Student PC