© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.

Slides:



Advertisements
Similar presentations
© 2004, Cisco Systems, Inc. All rights reserved.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
Cisco IOS Firewall ( CBAC-Context Based Access Control)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)
© 2002, Cisco Systems, Inc. All rights reserved..
© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
1 Lecture #5 Access Control Lists (ACLs) Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Access Control Lists (ACLs)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
ACLs ACLs are hard. Read, read, read. Practice, practice, practice ON TEST4.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Access Control Lists Accessing the WAN – Chapter 5.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Firewalls & Network Monitoring Advanced Registry Operations Curriculum.
Configuring the PIX Firewall Presented by Drew Spesard.
ACCESS CONTROL LIST.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
Lesson 3b © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—3-1 Getting Started with Cisco Security Appliances.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Virtual Private Network Configuration
Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.
Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard.
Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Access Control Lists CCNA 2 v3 – Module 11
Access Control Lists (ACLs)
Presentation transcript:

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-2 Overview of Object Grouping

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-3 Using Object Groups in ACLs fw1(config)# access-list acl_out permit tcp any host eq http fw1(config)# access-list acl_out permit tcp any host eq https fw1(config)# access-list acl_out permit tcp any host eq ftp fw1(config)# access-list acl_out permit tcp any host eq http fw1(config)# access-list acl_out permit tcp any host eq https fw1(config)# access-list acl_out permit tcp any host eq ftp fw1(config)# access-list acl_out permit tcp any host eq http fw1(config)# access-list acl_out permit tcp any host eq https fw1(config)# access-list acl_out permit tcp any host eq ftp DMZ Internet Web X fw1(config)# show run static static (dmz,outside) netmask static (dmz,outside) netmask static (dmz,outside) netmask

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-4 Grouping Objects Services groups, such as DMZ_Services –HTTP –HTTPS –FTP Host and network groups, such as DMZ_Servers – – – Group names applied to ACL fw1(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services fw1(config)# show run static static(dmz,outside) netmask static(dmz,outside) netmask static(dmz,outside) netmask DMZ Internet Web X

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-5 Grouping Objects of Similar Types Protocols –TCP –UDP Networks and hosts –Subnet /24 – – Services –HTTP –HTTPS –FTP ICMP –Echo –Echo-reply INSIDE_PROTOCOLS INSIDE_HOSTS DMZ_SERVICES PING firewall(config)# access-list aclout permit tcp any host eq ftp firewall(config)# access-list aclout permit icmp any echo-reply ProtocolsNetworks/Hosts Services/ ICMP

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-6 Getting Started with Object Groups

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-7 Configuring and Using Object Groups Complete the following steps to create object groups and use them in your configuration: Step 1: Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2: In subcommand mode, define the members of the object group. Task 3: (Optional) Use the description subcommand to describe the object group. Task 4: Use the exit or quit command to return to configuration mode. Task 5: (Optional) Use the show object-group command to verify that the object group has been configured successfully. Task 6: Apply the object group to the access-list command. Task 7: (Optional) Use the show access-list command to display the expanded ACL entries.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-8 Configuring Network Object Groups fw1(config)# object-group network Inside_Eng fw1(config-network)# network-object host fw1(config-network)# network-object host firewall(config)# object-group {protocol | network | icmp-type} obj_grp_id Assigns a name to the group and enables the network subcommand mode / /24 Internet Inside_Mktg Inside_Eng

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-9 Configuring Service Object Groups fw1(config)# object-group service Host_Services tcp fw1(config-service)# port-object eq http fw1(config-service)# port-object eq https fw1(config-service)# port-object eq ftp object-group service obj_grp_id {tcp | udp | tcp-udp} firewall(config)# Assigns a name to a service group and enables the service subcommand mode / /24 Internet Inside_Mktg Host_Services HTTP HTTPS FTP Inside_Eng

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-10 Adding Object Groups to an ACL / Internet Inside_Mktg Host_Services + Inside_Eng /24 Permits outbound engineering HTTP, HTTPS, and FTP traffic firewall(config)# access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip mask | interface ifc_name | object-group network_obj_grp_id | any}{host dip | dip mask | interface ifc_name | object-group network_obj_grp_id | any}[log [[level] [interval secs] | disable | default]][inactive | time-range time_range_name] fw1(config)# access-list inside permit tcp object-group Inside_Eng any object- group Host_Services

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-11 Configuring ICMP-Type Object Groups fw1(config)# object-group icmp-type PING fw1(config-icmp)# icmp-object echo fw1(config-icmp)# icmp-object echo-reply object-group icmp-type obj_grp_id firewall(config)# Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode / /24 Internet Inside_Mktg Inside_Eng Ping Echo Echo-reply

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-12 Nested Object Groups

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-13 Nested Object Groups Group objects: Inside_Eng, Inside_Mktg Nested groups: Inside_Networks Nested group applied to ACL DMZ Internet Inside_Mktg Inside_Eng Inside_Networks

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-14 Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1: Create an object group, such as Inside_Eng that you want to nest within another object group. Step 2: Add the appropriate type of objects to the object group, such as /24. Step 3: Assign an identity, such as Inside_Networks to the object group within which you want to nest other object groups. Step 4: Add the first object group to the second object group. Step 5: Add any other objects to the group that are required, such as Inside_Mktg.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-15 Nested Object Group Example: Object Group Network Create object groups –Inside_Eng –Inside_Mktg Allow inside hosts outbound –HTTP –HTTPS –FTP DMZ Internet Inside_Mktg Inside_Eng Inside_Networks

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-16 group-object Command fw1(config)# object-group network Inside_Eng fw1(config-network)# network-object host fw1(config-network)# network-object host fw1(config-network)# exit fw1(config)# object-group network Inside_Mktg fw1(config-network)# network-object host fw1(config-network)# network-object host fw1(config-network)# exit fw1(config)# object-group network Inside_Networks fw1(config-network)# group-object Inside_Eng fw1(config-network)# group-object Inside_Mktg group-object obj_group_id firewall(config-network)# Nests an object group within another object group Inside_Mktg Inside_Eng Inside_Networks

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-17 Nested Object Group Example: Object Group Services DMZ Internet Inside_Mktg Inside_Eng Host_Services HTTP HTTPS FTP fw1(config)# object-group service Host_Services tcp fw1(config-service)# port-object eq http fw1(config-service)# port-object eq https fw1(config-service)# port-object eq ftp

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-18 Apply Nested Object Group to ACL Allow all inside hosts outbound –HTTP –HTTPS –FTP fw1(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services DMZ Internet Inside_Mktg Inside_Eng Inside_Networks

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-19 Multiple Object Groups in ACLs fw1(config)# show run object-group object-group network REMOTES network-object host network-object host object-group network DMZ1 network-object host network-object host object-group network DMZ2 network-object host object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp fw1(config)# access-list aclout permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC fw1(config)# show run static static(dmz1,outside) netmask static(dmz1,outside) netmask static(dmz2,outside) netmask DMZ DMZ

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-20 Displaying Configured Object Groups Displays object groups in the configuration fw1# show run object-group object-group network DMZ1 network-object host network-object host object-group network DMZ2 network-object host object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 show running-config [all] object-group [protocol | service | network | icmp-type | id obj_grp_id] firewall(config)#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-21 Removing Configured Object Groups Removes a specific service object group Removes all object groups or all object groups of a specific type fw1(config)# no object-group network ALL_DMZ fw1(config)# clear config object-group protocol no object-group service obj_grp_id {tcp | udp | tcp- udp} firewall(config)# clear configure object-group [{protocol | service | icmp-type | network}] firewall(config)# Removes a specific protocol, network, or ICMP-type object group no object-group protocol | network | icmp-type obj_grp_id firewall(config)#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-22 Summary You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy. The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify. Members of an object group are defined in its subcommand mode. Hierarchical, or nested, object grouping enables greater flexibility and modularity for specifying entries within ACLs.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.