Any network administrator or network engineer is often tasked with auditing access-lists and modifying them according to business requirements that are often quite volatile. With regulatory organizations bearing down and compliance with those regulations become more and more difficult the amount of access-list auditing, modification, and deployment can quickly get out of control. Even with all the regulations to deal with access-list maintenance doesn't have to be the nightmare many network administrators and network engineers have come to know. This is where object-groups come in to play. While they are not new, being introduced in PIX code 6.2, many veteran engineers have just not caught on as they are set in their ways.
In the Cisco ASA, an object-group allows you to group hosts, protocols, networks, and services, into logical units that you can use to build access-lists that reference every object within the object-groups that are defined and placed within the ACL. Using strong object-group methodologies you can create an access-list that is 100 lines long in your running-config but is several hundred, or even thousands, of lines long once the object-groups are expanded to the full access-list - the access list as it would appear without the use of object-groups.
Let's start by defining a few different object groups.
Using an object-group of the network type you can groups hosts and/or networks into one logical group. Here is an example:
object-group network EMAIL-SERVERS
network-object host 1.2.3.4
network-object 5.0.0.0 255.255.0.0
object-group network INSIDE_SUBNETS
network 10.20.0.0 255.255.0.0
network 10.30.0.0 255.255.0.0
Using an object-group of the protocol type you can group different protocols into one logical group. Here is an example I occasionally use:
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
Using an object-group of the service type you can group different service ports into one logical group of services. Here is a good example:
object-group service EMAIL-SERVICES
port-object eq 25
port-object eq 110
port-object eq 143
port-object eq 465
port-object eq 587
port-object eq 993
port-object eq 995
Now that we have a few object-groups defined we can demonstrate the configuration of a couple access-lists. Here is a couple examples:
access-list Outside_access_in extended permit tcp any object-group EMAIL-SERVERS object-group EMAIL-SERVICES
access-list Inside_access_in extended permit object-group TCP-UDP object-group INSIDE-SUBNETS any eq 53
The above configurations demonstrate the way the access-list is defined, and also the way it will be shown in the running-config and startup-config. Now that you have seen how these access-lists are defined it is time to see what the expanded view looks like so you can realize the full potential of utilizing object-groups in your access-lists.
#show access-list Outside_access_in
access-list Outside_access_in extended permit tcp any object-group EMAIL-SERVERS object-group EMAIL-SERVICES
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 25
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 25
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 110
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 110
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 143
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 143
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 465
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 465
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 587
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 587
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 993
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 993
access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 995
access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 995
#show access-list Inside_access_in
access-list Inside_access_in extended permit object-group TCP-UDP object-group INSIDE-SUBNETS any eq 53
access-list Inside_access_in line 1 extended permit tcp 10.20.0.0 255.255.0.0 any eq 53
access-list Inside_access_in line 1 extended permit udp 10.20.0.0 255.255.0.0 any eq 53
access-list Inside_access_in line 1 extended permit tcp 10.30.0.0 255.255.0.0 any eq 53
access-list Inside_access_in line 1 extended permit udp 10.30.0.0 255.255.0.0 any eq 53
As you can see, the object groups easily allow you to create access-lists that can scale with your changing business needs. If we now decide to deploy a new email server, all we have to do is add that host, or subnet, to the appropriate object group and the rest of the work will be performed by the Cisco ASA. The access-list will automatically be expanded to include the new hosts, all with one simple addition.
That about sums it up.
New lab!
3 days ago
