Scribd Logo
Upload

Welcome to Scribd!

  • ObjectGrouping Lecture4

    Uploaded by

    Bhunesh Kumar
    2 views24 pages

    Original Title

    ObjectGrouping-Lecture4

    Copyright

    © © All Rights Reserved

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views24 pages

    ObjectGrouping Lecture4

    Uploaded by

    Bhunesh Kumar

    Copyright:

    © All Rights Reserved
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Lesson 6

    Object Grouping

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1


    Overview of Object
    Grouping

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-2


    Using Object Groups in ACLs
    fw1(config)# show run static fw1(config)# access-list acl_out permit tcp any
    static (dmz,outside) 192.168.0.10 host 192.168.0.10 eq http
    172.16.0.1 netmask 255.255.255.255 fw1(config)# access-list acl_out permit tcp any
    host 192.168.0.10 eq https
    static (dmz,outside) 192.168.0.11
    172.16.0.2 netmask 255.255.255.255 fw1(config)# access-list acl_out permit tcp any
    host 192.168.0.10 eq ftp
    static (dmz,outside) 192.168.0.12 fw1(config)# access-list acl_out permit tcp any
    172.16.0.3 netmask 255.255.255.255 host 192.168.0.11 eq http
    fw1(config)# access-list acl_out permit tcp any
    host 192.168.0.11 eq https
    fw1(config)# access-list acl_out permit tcp any
    Internet host 192.168.0.11 eq ftp
    fw1(config)# access-list acl_out permit tcp any
    host 192.168.0.12 eq http
    192.168.0.X fw1(config)# access-list acl_out permit tcp any
    host 192.168.0.12 eq https
    DMZ fw1(config)# access-list acl_out
    host 192.168.0.12 eq ftp
    permit tcp any

    172.16.0.0
    Web .1
    .2
    Web
    .3
    Web

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-3


    Grouping Objects
    fw1(config)# show run static
    • Services groups, such as
    static(dmz,outside)192.168.0.10 172.16.0.1
    netmask 255.255.255.255 DMZ_Services
    static(dmz,outside)192.168.0.11 172.16.0.2
    netmask 255.255.255.255 – HTTP
    static(dmz,outside)192.168.0.12 172.16.0.3
    netmask 255.255.255.255 – HTTPS
    – FTP
    Internet
    • Host and network groups, such
    as DMZ_Servers
    192.168.0.X – 192.168.0.10
    DMZ
    – 192.168.0.11
    172.16.0.0
    Web .1 – 192.168.0.12
    .2 • Group names applied to ACL
    Web
    .3
    Web fw1(config)# access-list outside permit tcp any
    object-group DMZ_Servers object-group
    DMZ_Services

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-4


    Grouping Objects of Similar Types
    • Protocols
    – TCP • INSIDE_PROTOCOLS
    – UDP
    • Networks and hosts
    – Subnet 10.0.0.0/24 • INSIDE_HOSTS
    – 10.0.1.11
    – 10.0.2.11
    • Services
    – HTTP
    – HTTPS • DMZ_SERVICES
    – FTP
    • ICMP
    – Echo • PING
    – Echo-reply

    Services/
    Protocols Networks/Hosts
    ICMP

    firewall(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftp


    firewall(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-5
    Getting Started with
    Object Groups

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-6


    Configuring and Using Object Groups

    Complete the following steps to create object groups and use them
    in your configuration:
    • Step 1: Use the object-group command to enter the appropriate
    subcommand mode for the type of group you want to configure.
    • Task 2: In subcommand mode, define the members of the object group.
    • Task 3: (Optional) Use the description subcommand to describe the object group.
    • Task 4: Use the exit or quit command to return to configuration mode.
    • Task 5: (Optional) Use the show object-group command to verify that the
    object group has been configured successfully.
    • Task 6: Apply the object group to the access-list command.
    • Task 7: (Optional) Use the show access-list command to display the expanded
    ACL entries. 

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-7


    Configuring Network Object Groups
    10.0.0.0 /24

    Inside_Eng
    192.168.0.0
    Internet

    Inside_Mktg

    firewall(config)# 10.0.1.0/24

    object-group {protocol | network | icmp-type}


    obj_grp_id

    • Assigns a name to the group and enables the


    network subcommand mode
    fw1(config)# object-group network Inside_Eng
    fw1(config-network)# network-object host 10.0.0.1
    fw1(config-network)# network-object host 10.0.0.2
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-8
    Configuring Service Object Groups
    Host_Services
    • HTTP
    • HTTPS
    Inside_Eng
    • FTP
    192.168.0.0
    Internet 10.0.0.0 /24

    Inside_Mktg

    10.0.1.0/24
    firewall(config)#
    object-group service obj_grp_id {tcp | udp | tcp-udp}
    • Assigns a name to a service group and enables the
    service subcommand mode
    fw1(config)# object-group service Host_Services tcp
    fw1(config-service)# port-object eq http
    fw1(config-service)# port-object eq https
    fw1(config-service)# port-object eq ftp

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-9


    Adding Object Groups to an ACL
    Host_Services
    +
    Inside_Eng Inside_Eng

    192.168.0.0
    Internet 10.0.0.0 /24

    Inside_Mktg

    firewall(config)# 10.0.1.0/24
    access-list id [line line-number] [extended] {deny | permit}
    {protocol | object-group protocol_obj_grp_id}{host sip | sip mask |
    interface ifc_name | object-group network_obj_grp_id | any}{host
    dip | dip mask | interface ifc_name | object-group
    network_obj_grp_id | any}[log [[level] [interval secs] | disable |
    default]][inactive | time-range time_range_name]

    • Permits outbound engineering HTTP, HTTPS,


    and FTP traffic
    fw1(config)# access-list inside permit tcp object-group Inside_Eng any object-
    group Host_Services
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-10
    Configuring ICMP-Type Object Groups

    Inside_Eng
    192.168.0.0
    Internet 10.0.0.0 /24

    Ping Inside_Mktg
    • Echo
    • Echo-reply
    10.0.1.0/24

    firewall(config)#
    object-group icmp-type obj_grp_id
    • Assigns a name to an ICMP-type group and
    enables the ICMP-type subcommand mode
    fw1(config)# object-group icmp-type PING
    fw1(config-icmp)# icmp-object echo
    fw1(config-icmp)# icmp-object echo-reply
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-11
    Nested Object Groups

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-12


    Nested Object Groups

    Internet

    172.16.0.0
    • Group objects:
    Inside_Eng, Inside_Mktg DMZ
    • Nested groups:
    Inside_Networks
    • Nested group applied
    to ACL Inside_Eng Inside_Mktg
    10.0.0.0 10.0.1.0

    Inside_Networks
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-13
    Configuring Nested Object Groups

    Complete the following steps to configure nested


    object groups:
    • Step 1: Create an object group, such as Inside_Eng that
    you want to nest within another object group.
    • Step 2: Add the appropriate type of objects to the
    object group, such as 10.0.1.0/24.
    • Step 3: Assign an identity, such as Inside_Networks to
    the object group within which you want to nest other
    object groups.
    • Step 4: Add the first object group to the second
    object group.
    • Step 5: Add any other objects to the group that are
    required, such as Inside_Mktg.

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-14


    Nested Object Group Example: Object
    Group Network

    Internet

    • Create object 172.16.0.0

    groups
    – Inside_Eng DMZ
    – Inside_Mktg
    • Allow inside hosts
    outbound
    Inside_Eng Inside_Mktg
    – HTTP 10.0.0.0 10.0.1.0
    – HTTPS
    – FTP

    Inside_Networks
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-15
    group-object Command

    Inside_Eng Inside_Mktg
    10.0.0.0 10.0.1.0

    Inside_Networks
    firewall(config-network)#
    group-object obj_group_id

    • Nests an object group within another object group


    fw1(config)# object-group network Inside_Eng
    fw1(config-network)# network-object host 10.0.0.1
    fw1(config-network)# network-object host 10.0.0.2
    fw1(config-network)# exit
    fw1(config)# object-group network Inside_Mktg
    fw1(config-network)# network-object host 10.0.1.1
    fw1(config-network)# network-object host 10.0.1.2
    fw1(config-network)# exit 
    fw1(config)# object-group network Inside_Networks
    fw1(config-network)# group-object Inside_Eng
    fw1(config-network)# group-object Inside_Mktg
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-16
    Nested Object Group Example: Object
    Group Services

    Internet

    172.16.0.0

    fw1(config)# object-group service Host_Services


    tcp Host_Services
    fw1(config-service)# port-object eq http DMZ • HTTP
    fw1(config-service)# port-object eq https
    fw1(config-service)# port-object eq ftp • HTTPS
    • FTP

    Inside_Eng Inside_Mktg
    10.0.0.0 10.0.1.0

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-17


    Apply Nested Object Group to ACL

    Internet
    • Allow all inside
    hosts outbound
    172.16.0.0
    – HTTP
    – HTTPS DMZ
    – FTP

    fw1(config)# access-list aclin permit


    tcp object-group Inside_Networks any
    object-group Host_Services Inside_Eng Inside_Mktg
    10.0.0.0 10.0.1.0

    Inside_Networks
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-18
    Multiple Object Groups in ACLs

    fw1(config)# show run static fw1(config)# show run object-group


    static(dmz1,outside)192.168.1.10 object-group network REMOTES
    172.16.0.1 netmask 255.255.255.255 network-object host 172.30.0.50
    network-object host 172.30.0.51 
    static(dmz1,outside)192.168.1.12
    object-group network DMZ1
    172.16.0.2 netmask 255.255.255.255
    network-object host 192.168.1.10
    static(dmz2,outside)192.168.2.10 network-object host 192.168.1.12
    172.16.1.1 netmask 255.255.255.255 object-group network DMZ2
    network-object host 192.168.2.10
    object-group network ALL_DMZ
    group-object DMZ1
    .50 172.30.0.0 .51 group-object DMZ2
    object-group service BASIC
    port-object eq http
    port-object eq smtp

    DMZ1 192.168.0.0 DMZ2


    fw1(config)# access-list aclout permit tcp
    .2 .1 .1 object-group REMOTES object-group ALL_DMZ
    172.16.0.0 172.16.1.0 object-group BASIC

    10.0.0.0

    .1 .2 .3 .4 .5

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-19


    Displaying Configured Object Groups

    firewall(config)#
    show running-config [all] object-group [protocol |
    service | network | icmp-type | id obj_grp_id]
    • Displays object groups in the configuration

    fw1# show run object-group


    object-group network DMZ1
    network-object host 192.168.1.10
    network-object host 192.168.1.12  
    object-group network DMZ2
    network-object host 192.168.2.10  
    object-group network ALL_DMZ
    group-object DMZ1
    group-object DMZ2

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-20


    Removing Configured Object Groups
    firewall(config)#
    no object-group service obj_grp_id {tcp | udp | tcp-
    udp}
    • Removes a specific service object group
    firewall(config)#
    no object-group protocol | network | icmp-type
    obj_grp_id
    • Removes a specific protocol, network, or ICMP-type
    object group
    firewall(config)#
    clear configure object-group [{protocol | service |
    icmp-type | network}]
    • Removes all object groups or all object groups of a
    specific type
    fw1(config)# no object-group network ALL_DMZ
    fw1(config)# clear config object-group protocol
    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-21
    Summary

    • You can group network objects, services, protocols, and ICMP


    message types to reduce the number of ACEs required to
    implement your security policy.
    • The main object grouping command, the
    object-group command, names your object
    group and enables a subcommand mode for the type of object
    you specify.
    • Members of an object group are defined in its
    subcommand mode.
    • Hierarchical, or nested, object grouping enables greater
    flexibility and modularity for specifying entries within ACLs.

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-22


    Lab Visual Objective

    Web/FTP
    .50
    172.26.26.0
    .150
    Pods 1–5 .1 .1 Pods 6–10

    192.168.P.0 RBB 192.168.Q.0

    .2 .2
    .2 .1 .1 .2
    “bastionhost”: Security Security “bastionhost”:
    Web/FTP Appliance Appliance Web/FTP
    172.16.P.0 172.16.Q.0
    .1 .1

    10.0.P.0 10.0.Q.0
    .100 .100
    RTS RTS

    Web/FTP Web/FTP
    Local: 10.0.P.11 CSACS CSACS Local: 10.0.Q.11
    Student PC Student PC

    © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-23

    You might also like