© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1

Lesson 8

Object Grouping


Objectives


Objectives

Upon completion of this lesson, you will be able to perform the following tasks:• Describe the object grouping feature of the PIX

Firewall and its advantages.• Configure object groups.• Configure nested object groups.• Use object groups in ACLs.


Overview of Object Grouping


Using Object Groups in ACLs

chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq http

chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq https

chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq ftp







DMZ

Internet

172.16.0.0Web

Web

Web

Mail

.1

.2

.3

.4

192.168.0.X

chicago(config)# show staticstatic(dmz,outside)192.168.0.10

172.16.0.1 netmask 255.255.255.255static(dmz,outside)192.168.0.11


172.16.0.3 netmask 255.255.255.255


Grouping Objects• Group services supported, such as

DMZ-Services - HTTP- HTTPS- FTP

• Group hosts/networks, such as DMZ_Servers- 192.168.0.10- 192.168.0.11- 192.168.0.12

• Apply group names to ACL

chicago(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services

chicago(config)# show staticstatic(dmz,outside)192.168.0.10



172.16.0.3 netmask 255.255.255.255

DMZ

Internet

172.16.0.0Web

Web

Web

Mail

.1

.2

.3

.4

192.168.0.X


Grouping Objects of Similar Types• Protocols

– TCP– UDP

• Networks/hosts– Subnet 10.0.0.0/24– 10.0.1.11– 10.0.2.11

• Services– HTTP– HTTPS– FTP

• ICMP– Echo– Echo-reply

• INSIDE_PROTOCOLS

• INSIDE_HOSTS

• DMZ_SERVICES

• PING

chicago(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftpchicago(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply

Protocols Network/hosts Services/ICMP


Getting Started with Object Groups


Configuring and Using Object GroupsComplete the following tasks to create object groups and use them in your configuration:• Task 1—Use the object-group command to enter the appropriate

subcommand mode for the type of group you want to configure.

• Task 2—In subcommand mode, define the members of the object group.

• Task 3—(Optional.) Use the description subcommand to describe the object group.

• Task 4—Use the exit or quit command to return to configuration mode.

• Task 5—(Optional.) Use the show object-group command to verify that the object group has been configured successfully.

• Task 6—Apply the object group to the access-list command.• Task 7—(Optional.) Use the show access-list command to

display the expanded ACL entries.


Configuring Network Object Groups

pixfirewall(config)# object-group network Inside_Engpixfirewall(config-network)# network-object host 10.0.0.1pixfirewall(config-network)# network-object host 10.0.0.2

pixfirewall(config)#object-group network grp_id• Assigns a name to the group and enables the Network

subcommand mode

10.0.0.0 /24

192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

Inside_Eng


Configuring Service Object Groups

pixfirewall(config)# object-group service Host_Services tcppixfirewall(config-service)# port-object eq httppixfirewall(config-service)# port-object eq httpspixfirewall(config-service)# port-object eq ftp

object-group service grp_id {tcp | udp | tcp-udp}pixfirewall(config)#

• Assigns a name to a Service group and enables the Service subcommand mode

10.0.0.0 /24192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

DMZ

Host_Services- HTTP- HTTPS- FTP Inside_Eng


Adding Object Groups to an ACL

10.0.0.0 /24192.168.0.0Internet

Inside_Mktg

DMZ

Host_Services+

Inside_Eng Inside_Eng

10.0.1.0/24

• Permits outbound Engineering HTTP, HTTPS, and FTP traffic

pixfirewall(config)#access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]]

pixfirewall(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services


Configuring Protocol Object Groups

pixfirewall(config)# object-group protocol ESP_Protocolpixfirewall(config-protocol)# protocol-object 50

object-group protocol grp_idpixfirewall(config)#

• Assigns a name to a Protocol group and enables the Protocol subcommand mode

10.0.0.0 /24192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

DMZ

ESP_Protocol- 50

Inside_Eng


Configuring ICMP-Type Object Groups

pixfirewall(config)# object-group icmp-type PINGpixfirewall(config-icmp-type)# icmp-object echopixfirewall(config-icmp-type)# icmp-object echo-reply

object-group icmp-type grp_idpixfirewall(config)#

• Assigns a name to an ICMP-Type group and enables the ICMP-Type subcommand mode

10.0.0.0 /24192.168.0.0

10.0.1.0/24

Internet

Inside_Mktg

DMZ

Inside_Eng

PING- Echo- Echo-reply


Nested Object Groups


Nested Object Groups

• Group objects; for example, Inside_Eng, Inside_Mktg.

• Nested groups; for example, Inside_Networks.

• Apply nested group to ACL.

DMZ

Internet

172.16.0.0

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

Inside_Networks


Configuring Nested Object Groups

Complete the following steps to configure nested object groups:• Step 1—Create an object group that you want to nest within

another object group, such as Inside_Eng.• Step 2—Add the appropriate type of objects to the object

group, such as 10.0.1.0/24.• Step 3—Assign an identity to the object group within which

you want to nest other object groups, such as Inside_Networks.

• Step 4—Add the first object group to the second object group.

• Step 5—Add any other objects that are required to the group, such as Inside_Mktg.


Nested Object Group Example—Object Group Network

• Create a object group- Inside_Eng- Inside_Mktg

• Allow inside hosts outbound

- HTTP- HTTPS- FTP

DMZ

Internet

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

172.16.0.0

Inside_Networks


group-object Command

pixfirewall(config)# object-group network Inside_Engpixfirewall(config-network)# network-object host 10.0.0.1pixfirewall(config-network)# network-object host 10.0.0.2pixfirewall(config-network)# exitpixfirewall(config)# object-group network Inside_Mktgpixfirewall(config-network)# network-object host 10.0.1.1pixfirewall(config-network)# network-object host 10.0.1.2pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Networkspixfirewall(config-network)# group-object Inside-Engpixfirewall(config-network)# group-object Inside-Mktg

group-object object_group_idpixfirewall(config-group-type)#

• Nests an object group within another object group

Inside_Mktg10.0.1.0

Inside_Eng10.0.0.0

Inside_Networks


Nested Object Group Example—Object Group Services

DMZ

Internet

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

172.16.0.0

Host_Services- HTTP- HTTPS- FTP

pix1(config)# object-group service Host_Services tcp

pix1(config-service)# port-object eq httppix1(config-service)# port-object eq httpspix1(config-service)# port-object eq ftp


Apply Nested Object Group to ACL

pixfirewall(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services

• Allow all inside hosts outbound - HTTP- HTTPS- FTP

DMZ

Internet

10.0.1.0Inside_Mktg

10.0.0.0Inside_Eng

172.16.0.0

Inside_Networks


Multiple Object Groups in ACLs

172.16.0.0

10.0.0.0

172.30.0.0.50 .51

.1 .2

.1 .2 .5 .4 .3

chicago(config)# show object-groupobject-group network REMOTES network-object host 172.30.0.50 network-object host 172.30.0.51 object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12object-group network DMZ2 network-object host 192.168.2.10object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp

pixfirewall(config)# access-list aclout permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC

pixfirewall(config)# show staticstatic(dmz1,outside)192.168.1.10

172.16.0.1 netmask 255.255.255.255static(dmz1,outside)192.168.1.12

172.16.0.2 netmask 255.255.255.255static(dmz2,outside)192.168.2.10

172.16.1.1 netmask 255.255.255.255

DMZ1

172.16.1.0 .1

DMZ2192.168.0.0


Displaying Configured Object Groups

• Displays object groups in the configuration

pixfirewall# show object-groupobject-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2

show object-group [protocol | service | icmp-type | network]

pixfirewall(config)#


Removing Configured Object Groups

• Removes a specific service object group

• Removes all object groups or all object groups of a specific type

pixfirewall(config)# no object-group network ALL_DMZpixfirewall(config)# clear object-group protocol

no object-group service grp_id tcp | udp | tcp-udppixfirewall(config)#

clear object-group [protocol | service | icmp-type | network]

pixfirewall(config)#

• Removes a specific protocol, network, or icmp-type object groupno object-group protocol | network | icmp-type grp_idpixfirewall(config)#


Summary


Summary

• You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy.

• The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify.

• Members of an object group are defined in its subcommand mode.

• Hierarchical object grouping enables greater flexibility and modularity for specifying entries within ACLs.


Lab Exercise


192.168.Q.0192.168.P.0

Lab Visual Objective

Student PC

.2.1

.1

Student PC

PIXFirewall

Web/FTPCSACS

Web/FTPCSACS

.1

.2

.1

PIXFirewall

.1

Local: 10.0.P.11 Local: 10.0.Q.11

10.0.P.0 10.0.Q.0

RTS.100

RTS.100

Pods 1–5 Pods 6–10172.26.26.0

.150

.50Web/FTP

RBB

.2.2 “bastionhost”:Web/FTP172.16.P.0 172.16.Q.0

“bastionhost”:Web/FTP

.1

Documents

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping