Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping.

Published byBridget Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping

2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-2 Objectives

3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the object grouping feature of the PIX Firewall and its advantages. Configure object groups. Configure nested object groups. Use object groups in ACLs.

4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-4 Overview of Object Grouping

5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-5 Using Object Groups in ACLs chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq http chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq https chicago(config)# access-list acl_out permit tcp any host 192.168.0.10 eq ftp chicago(config)# access-list acl_out permit tcp any host 192.168.0.11 eq http chicago(config)# access-list acl_out permit tcp any host 192.168.0.11 eq https chicago(config)# access-list acl_out permit tcp any host 192.168.0.11 eq ftp chicago(config)# access-list acl_out permit tcp any host 192.168.0.12 eq http chicago(config)# access-list acl_out permit tcp any host 192.168.0.12 eq https chicago(config)# access-list acl_out permit tcp any host 192.168.0.12 eq ftp DMZ Internet 172.16.0.0 Web Mail.1.2.3.4 192.168.0.X chicago(config)# show static static(dmz,outside)192.168.0.10 172.16.0.1 netmask 255.255.255.255 static(dmz,outside)192.168.0.11 172.16.0.2 netmask 255.255.255.255 static(dmz,outside)192.168.0.12 172.16.0.3 netmask 255.255.255.255

6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-6 Grouping Objects Group services supported, such as DMZ-Services -HTTP -HTTPS -FTP Group hosts/networks, such as DMZ_Servers -192.168.0.10 -192.168.0.11 -192.168.0.12 Apply group names to ACL chicago(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services chicago(config)# show static static(dmz,outside)192.168.0.10 172.16.0.1 netmask 255.255.255.255 static(dmz,outside)192.168.0.11 172.16.0.2 netmask 255.255.255.255 static(dmz,outside)192.168.0.12 172.16.0.3 netmask 255.255.255.255 DMZ Internet 172.16.0.0 Web Mail.1.2.3.4 192.168.0.X

7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-7 Grouping Objects of Similar Types Protocols –TCP –UDP Networks/hosts –Subnet 10.0.0.0/24 –10.0.1.11 –10.0.2.11 Services –HTTP –HTTPS –FTP ICMP –Echo –Echo-reply INSIDE_PROTOCOLS INSIDE_HOSTS DMZ_SERVICES PING chicago(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftp chicago(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply ProtocolsNetwork/hosts Services/ ICMP

8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-8 Getting Started with Object Groups

9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-9 Configuring and Using Object Groups Complete the following tasks to create object groups and use them in your configuration: Task 1—Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2—In subcommand mode, define the members of the object group. Task 3—(Optional.) Use the description subcommand to describe the object group. Task 4—Use the exit or quit command to return to configuration mode. Task 5—(Optional.) Use the show object-group command to verify that the object group has been configured successfully. Task 6—Apply the object group to the access-list command. Task 7—(Optional.) Use the show access-list command to display the expanded ACL entries.

10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-10 Configuring Network Object Groups pixfirewall(config)# object-group network Inside_Eng pixfirewall(config-network)# network-object host 10.0.0.1 pixfirewall(config-network)# network-object host 10.0.0.2 pixfirewall(config)# object-group network grp_id Assigns a name to the group and enables the Network subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg Inside_Eng

11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-11 Configuring Service Object Groups pixfirewall(config)# object-group service Host_Services tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq https pixfirewall(config-service)# port-object eq ftp object-group service grp_id {tcp | udp | tcp-udp} pixfirewall(config)# Assigns a name to a Service group and enables the Service subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg DMZ Host_Services - HTTP - HTTPS - FTP Inside_Eng

12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-12 Adding Object Groups to an ACL 10.0.0.0 /24 192.168.0.0 Internet Inside_Mktg DMZ Host_Services + Inside_Eng 10.0.1.0/24 Permits outbound Engineering HTTP, HTTPS, and FTP traffic pixfirewall(config)# access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]] pixfirewall(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services

13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-13 Configuring Protocol Object Groups pixfirewall(config)# object-group protocol ESP_Protocol pixfirewall(config-protocol)# protocol-object 50 object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg DMZ ESP_Protocol - 50 Inside_Eng

14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-14 Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the ICMP- Type subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg DMZ Inside_Eng PING - Echo - Echo-reply

15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-15 Nested Object Groups

16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-16 Nested Object Groups Group objects; for example, Inside_Eng, Inside_Mktg. Nested groups; for example, Inside_Networks. Apply nested group to ACL. DMZ Internet 172.16.0.0 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng Inside_Networks

17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-17 Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1—Create an object group that you want to nest within another object group, such as Inside_Eng. Step 2—Add the appropriate type of objects to the object group, such as 10.0.1.0/24. Step 3—Assign an identity to the object group within which you want to nest other object groups, such as Inside_Networks. Step 4—Add the first object group to the second object group. Step 5—Add any other objects that are required to the group, such as Inside_Mktg.

18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-18 Nested Object Group Example— Object Group Network Create a object group - Inside_Eng - Inside_Mktg Allow inside hosts outbound - HTTP - HTTPS - FTP DMZ Internet 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng 172.16.0.0 Inside_Networks

19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-19 group-object Command pixfirewall(config)# object-group network Inside_Eng pixfirewall(config-network)# network-object host 10.0.0.1 pixfirewall(config-network)# network-object host 10.0.0.2 pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Mktg pixfirewall(config-network)# network-object host 10.0.1.1 pixfirewall(config-network)# network-object host 10.0.1.2 pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Networks pixfirewall(config-network)# group-object Inside-Eng pixfirewall(config-network)# group-object Inside-Mktg group-object object_group_id pixfirewall(config-group-type)# Nests an object group within another object group Inside_Mktg 10.0.1.0 Inside_Eng 10.0.0.0 Inside_Networks

20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-20 Nested Object Group Example— Object Group Services DMZ Internet 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng 172.16.0.0 Host_Services - HTTP - HTTPS - FTP pix1(config)# object-group service Host_Services tcp pix1(config-service)# port-object eq http pix1(config-service)# port-object eq https pix1(config-service)# port-object eq ftp

21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-21 Apply Nested Object Group to ACL pixfirewall(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services Allow all inside hosts outbound - HTTP - HTTPS - FTP DMZ Internet 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng 172.16.0.0 Inside_Networks

22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-22 Multiple Object Groups in ACLs 172.16.0.0 10.0.0.0 172.30.0.0.50.51.1.2.1.2.5.4.3 chicago(config)# show object-group object-group network REMOTES network-object host 172.30.0.50 network-object host 172.30.0.51 object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp pixfirewall(config)# access-list acl out permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC pixfirewall(config)# show static static(dmz1,outside)192.168.1.10 172.16.0.1 netmask 255.255.255.255 static(dmz1,outside)192.168.1.12 172.16.0.2 netmask 255.255.255.255 static(dmz2,outside)192.168.2.10 172.16.1.1 netmask 255.255.255.255 DMZ1 172.16.1.0.1 DMZ2 192.168.0.0

23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-23 Displaying Configured Object Groups Displays object groups in the configuration pixfirewall# show object-group object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 show object-group [protocol | service | icmp-type | network] pixfirewall(config)#

24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-24 Removing Configured Object Groups Removes a specific service object group Removes all object groups or all object groups of a specific type pixfirewall(config)# no object-group network ALL_DMZ pixfirewall(config)# clear object-group protocol no object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# clear object-group [protocol | service | icmp-type | network] pixfirewall(config)# Removes a specific protocol, network, or icmp-type object group no object-group protocol | network | icmp-type grp_id pixfirewall(config)#

25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-25 Summary

26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-26 Summary You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy. The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify. Members of an object group are defined in its subcommand mode. Hierarchical object grouping enables greater flexibility and modularity for specifying entries within ACLs.

27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-27 Lab Exercise

28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-28 192.168.Q.0 192.168.P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS.1.2.1 PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q.11 10.0.P.0 10.0.Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6–10 172.26.26.0.150.50 Web/FTP RBB.2 “bastionhost”: Web/FTP 172.16.P.0172.16.Q.0 “bastionhost”: Web/FTP.1

Download ppt "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping."

Similar presentations

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.


1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)

Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)
RE161 111 © 2003, Cisco Systems, Inc. All rights reserved.

RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering

Similar presentations

Ads by Google