© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping.

Slides:



Advertisements
Similar presentations
© 2004, Cisco Systems, Inc. All rights reserved.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Chapter 6: Packet Filtering
© 2002, Cisco Systems, Inc. All rights reserved..
© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Access Control Lists (ACLs)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
ACLs ACLs are hard. Read, read, read. Practice, practice, practice ON TEST4.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Firewalls & Network Monitoring Advanced Registry Operations Curriculum.
© 2003, Cisco Systems, Inc. All rights reserved. CSIDS 4.0—15-1 Chapter 15 Blocking Configuration.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
Configuring the PIX Firewall Presented by Drew Spesard.
ACCESS CONTROL LIST.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—5-1 Lesson 5 Getting Started with the Cisco PIX Firewall.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.
Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.
© 2002, Cisco Systems, Inc. All rights reserved.
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Cisco IOS Firewall Context-Based Access Control Configuration
Access Control Lists CCNA 2 v3 – Module 11
Presentation transcript:

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-2 Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the object grouping feature of the PIX Firewall and its advantages. Configure object groups. Configure nested object groups. Use object groups in ACLs.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-4 Overview of Object Grouping

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-5 Using Object Groups in ACLs chicago(config)# access-list acl_out permit tcp any host eq http chicago(config)# access-list acl_out permit tcp any host eq https chicago(config)# access-list acl_out permit tcp any host eq ftp chicago(config)# access-list acl_out permit tcp any host eq http chicago(config)# access-list acl_out permit tcp any host eq https chicago(config)# access-list acl_out permit tcp any host eq ftp chicago(config)# access-list acl_out permit tcp any host eq http chicago(config)# access-list acl_out permit tcp any host eq https chicago(config)# access-list acl_out permit tcp any host eq ftp DMZ Internet Web Mail X chicago(config)# show static static(dmz,outside) netmask static(dmz,outside) netmask static(dmz,outside) netmask

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-6 Grouping Objects Group services supported, such as DMZ-Services -HTTP -HTTPS -FTP Group hosts/networks, such as DMZ_Servers Apply group names to ACL chicago(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services chicago(config)# show static static(dmz,outside) netmask static(dmz,outside) netmask static(dmz,outside) netmask DMZ Internet Web Mail X

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-7 Grouping Objects of Similar Types Protocols –TCP –UDP Networks/hosts –Subnet /24 – – Services –HTTP –HTTPS –FTP ICMP –Echo –Echo-reply INSIDE_PROTOCOLS INSIDE_HOSTS DMZ_SERVICES PING chicago(config)# access-list aclout permit tcp any host eq ftp chicago(config)# access-list aclout permit icmp any echo-reply ProtocolsNetwork/hosts Services/ ICMP

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-8 Getting Started with Object Groups

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-9 Configuring and Using Object Groups Complete the following tasks to create object groups and use them in your configuration: Task 1—Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2—In subcommand mode, define the members of the object group. Task 3—(Optional.) Use the description subcommand to describe the object group. Task 4—Use the exit or quit command to return to configuration mode. Task 5—(Optional.) Use the show object-group command to verify that the object group has been configured successfully. Task 6—Apply the object group to the access-list command. Task 7—(Optional.) Use the show access-list command to display the expanded ACL entries.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-10 Configuring Network Object Groups pixfirewall(config)# object-group network Inside_Eng pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config)# object-group network grp_id Assigns a name to the group and enables the Network subcommand mode / /24 Internet Inside_Mktg Inside_Eng

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-11 Configuring Service Object Groups pixfirewall(config)# object-group service Host_Services tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq https pixfirewall(config-service)# port-object eq ftp object-group service grp_id {tcp | udp | tcp-udp} pixfirewall(config)# Assigns a name to a Service group and enables the Service subcommand mode / /24 Internet Inside_Mktg DMZ Host_Services - HTTP - HTTPS - FTP Inside_Eng

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-12 Adding Object Groups to an ACL / Internet Inside_Mktg DMZ Host_Services + Inside_Eng /24 Permits outbound Engineering HTTP, HTTPS, and FTP traffic pixfirewall(config)# access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]] pixfirewall(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-13 Configuring Protocol Object Groups pixfirewall(config)# object-group protocol ESP_Protocol pixfirewall(config-protocol)# protocol-object 50 object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode / /24 Internet Inside_Mktg DMZ ESP_Protocol - 50 Inside_Eng

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-14 Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the ICMP- Type subcommand mode / /24 Internet Inside_Mktg DMZ Inside_Eng PING - Echo - Echo-reply

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-15 Nested Object Groups

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-16 Nested Object Groups Group objects; for example, Inside_Eng, Inside_Mktg. Nested groups; for example, Inside_Networks. Apply nested group to ACL. DMZ Internet Inside_Mktg Inside_Eng Inside_Networks

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-17 Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1—Create an object group that you want to nest within another object group, such as Inside_Eng. Step 2—Add the appropriate type of objects to the object group, such as /24. Step 3—Assign an identity to the object group within which you want to nest other object groups, such as Inside_Networks. Step 4—Add the first object group to the second object group. Step 5—Add any other objects that are required to the group, such as Inside_Mktg.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-18 Nested Object Group Example— Object Group Network Create a object group - Inside_Eng - Inside_Mktg Allow inside hosts outbound - HTTP - HTTPS - FTP DMZ Internet Inside_Mktg Inside_Eng Inside_Networks

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-19 group-object Command pixfirewall(config)# object-group network Inside_Eng pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Mktg pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Networks pixfirewall(config-network)# group-object Inside-Eng pixfirewall(config-network)# group-object Inside-Mktg group-object object_group_id pixfirewall(config-group-type)# Nests an object group within another object group Inside_Mktg Inside_Eng Inside_Networks

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-20 Nested Object Group Example— Object Group Services DMZ Internet Inside_Mktg Inside_Eng Host_Services - HTTP - HTTPS - FTP pix1(config)# object-group service Host_Services tcp pix1(config-service)# port-object eq http pix1(config-service)# port-object eq https pix1(config-service)# port-object eq ftp

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-21 Apply Nested Object Group to ACL pixfirewall(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services Allow all inside hosts outbound - HTTP - HTTPS - FTP DMZ Internet Inside_Mktg Inside_Eng Inside_Networks

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-22 Multiple Object Groups in ACLs chicago(config)# show object-group object-group network REMOTES network-object host network-object host object-group network DMZ1 network-object host network-object host object-group network DMZ2 network-object host object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp pixfirewall(config)# access-list acl out permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC pixfirewall(config)# show static static(dmz1,outside) netmask static(dmz1,outside) netmask static(dmz2,outside) netmask DMZ DMZ

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-23 Displaying Configured Object Groups Displays object groups in the configuration pixfirewall# show object-group object-group network DMZ1 network-object host network-object host object-group network DMZ2 network-object host object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 show object-group [protocol | service | icmp-type | network] pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-24 Removing Configured Object Groups Removes a specific service object group Removes all object groups or all object groups of a specific type pixfirewall(config)# no object-group network ALL_DMZ pixfirewall(config)# clear object-group protocol no object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# clear object-group [protocol | service | icmp-type | network] pixfirewall(config)# Removes a specific protocol, network, or icmp-type object group no object-group protocol | network | icmp-type grp_id pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-25 Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-26 Summary You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy. The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify. Members of an object group are defined in its subcommand mode. Hierarchical object grouping enables greater flexibility and modularity for specifying entries within ACLs.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-27 Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2— Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web/FTP RBB.2 “bastionhost”: Web/FTP P Q.0 “bastionhost”: Web/FTP.1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.