Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.

Published byKory Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping."— Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping

2 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-2 Overview of Object Grouping

3 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-3 Using Object Groups in ACLs fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq http fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq https fw1(config)# access-list acl_out permit tcp any host 192.168.0.10 eq ftp fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq http fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq https fw1(config)# access-list acl_out permit tcp any host 192.168.0.11 eq ftp fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq http fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq https fw1(config)# access-list acl_out permit tcp any host 192.168.0.12 eq ftp DMZ Internet 172.16.0.0 Web.1.2.3 192.168.0.X fw1(config)# show run static static (dmz,outside) 192.168.0.10 172.16.0.1 netmask 255.255.255.255 static (dmz,outside) 192.168.0.11 172.16.0.2 netmask 255.255.255.255 static (dmz,outside) 192.168.0.12 172.16.0.3 netmask 255.255.255.255

4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-4 Grouping Objects Services groups, such as DMZ_Services –HTTP –HTTPS –FTP Host and network groups, such as DMZ_Servers –192.168.0.10 –192.168.0.11 –192.168.0.12 Group names applied to ACL fw1(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services fw1(config)# show run static static(dmz,outside)192.168.0.10 172.16.0.1 netmask 255.255.255.255 static(dmz,outside)192.168.0.11 172.16.0.2 netmask 255.255.255.255 static(dmz,outside)192.168.0.12 172.16.0.3 netmask 255.255.255.255 DMZ Internet 172.16.0.0 Web.1.2.3 192.168.0.X

5 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-5 Grouping Objects of Similar Types Protocols –TCP –UDP Networks and hosts –Subnet 10.0.0.0/24 –10.0.1.11 –10.0.2.11 Services –HTTP –HTTPS –FTP ICMP –Echo –Echo-reply INSIDE_PROTOCOLS INSIDE_HOSTS DMZ_SERVICES PING firewall(config)# access-list aclout permit tcp any host 192.168.0.12 eq ftp firewall(config)# access-list aclout permit icmp any 192.168.0.12 echo-reply ProtocolsNetworks/Hosts Services/ ICMP

6 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-6 Getting Started with Object Groups

7 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-7 Configuring and Using Object Groups Complete the following steps to create object groups and use them in your configuration: Step 1: Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2: In subcommand mode, define the members of the object group. Task 3: (Optional) Use the description subcommand to describe the object group. Task 4: Use the exit or quit command to return to configuration mode. Task 5: (Optional) Use the show object-group command to verify that the object group has been configured successfully. Task 6: Apply the object group to the access-list command. Task 7: (Optional) Use the show access-list command to display the expanded ACL entries.

8 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-8 Configuring Network Object Groups fw1(config)# object-group network Inside_Eng fw1(config-network)# network-object host 10.0.0.1 fw1(config-network)# network-object host 10.0.0.2 firewall(config)# object-group {protocol | network | icmp-type} obj_grp_id Assigns a name to the group and enables the network subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg Inside_Eng

9 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-9 Configuring Service Object Groups fw1(config)# object-group service Host_Services tcp fw1(config-service)# port-object eq http fw1(config-service)# port-object eq https fw1(config-service)# port-object eq ftp object-group service obj_grp_id {tcp | udp | tcp-udp} firewall(config)# Assigns a name to a service group and enables the service subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg Host_Services HTTP HTTPS FTP Inside_Eng

10 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-10 Adding Object Groups to an ACL 10.0.0.0 /24 192.168.0.0 Internet Inside_Mktg Host_Services + Inside_Eng 10.0.1.0/24 Permits outbound engineering HTTP, HTTPS, and FTP traffic firewall(config)# access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip mask | interface ifc_name | object-group network_obj_grp_id | any}{host dip | dip mask | interface ifc_name | object-group network_obj_grp_id | any}[log [[level] [interval secs] | disable | default]][inactive | time-range time_range_name] fw1(config)# access-list inside permit tcp object-group Inside_Eng any object- group Host_Services

11 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-11 Configuring ICMP-Type Object Groups fw1(config)# object-group icmp-type PING fw1(config-icmp)# icmp-object echo fw1(config-icmp)# icmp-object echo-reply object-group icmp-type obj_grp_id firewall(config)# Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode 10.0.0.0 /24 192.168.0.0 10.0.1.0/24 Internet Inside_Mktg Inside_Eng Ping Echo Echo-reply

12 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-12 Nested Object Groups

13 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-13 Nested Object Groups Group objects: Inside_Eng, Inside_Mktg Nested groups: Inside_Networks Nested group applied to ACL DMZ Internet 172.16.0.0 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng Inside_Networks

14 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-14 Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1: Create an object group, such as Inside_Eng that you want to nest within another object group. Step 2: Add the appropriate type of objects to the object group, such as 10.0.1.0/24. Step 3: Assign an identity, such as Inside_Networks to the object group within which you want to nest other object groups. Step 4: Add the first object group to the second object group. Step 5: Add any other objects to the group that are required, such as Inside_Mktg.

15 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-15 Nested Object Group Example: Object Group Network Create object groups –Inside_Eng –Inside_Mktg Allow inside hosts outbound –HTTP –HTTPS –FTP DMZ Internet 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng 172.16.0.0 Inside_Networks

16 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-16 group-object Command fw1(config)# object-group network Inside_Eng fw1(config-network)# network-object host 10.0.0.1 fw1(config-network)# network-object host 10.0.0.2 fw1(config-network)# exit fw1(config)# object-group network Inside_Mktg fw1(config-network)# network-object host 10.0.1.1 fw1(config-network)# network-object host 10.0.1.2 fw1(config-network)# exit fw1(config)# object-group network Inside_Networks fw1(config-network)# group-object Inside_Eng fw1(config-network)# group-object Inside_Mktg group-object obj_group_id firewall(config-network)# Nests an object group within another object group Inside_Mktg 10.0.1.0 Inside_Eng 10.0.0.0 Inside_Networks

17 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-17 Nested Object Group Example: Object Group Services DMZ Internet 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng 172.16.0.0 Host_Services HTTP HTTPS FTP fw1(config)# object-group service Host_Services tcp fw1(config-service)# port-object eq http fw1(config-service)# port-object eq https fw1(config-service)# port-object eq ftp

18 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-18 Apply Nested Object Group to ACL Allow all inside hosts outbound –HTTP –HTTPS –FTP fw1(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services DMZ Internet 10.0.1.0 Inside_Mktg 10.0.0.0 Inside_Eng 172.16.0.0 Inside_Networks

19 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-19 Multiple Object Groups in ACLs 172.16.0.0 10.0.0.0 172.30.0.0.50.51.1.2.1.2.5.4.3 fw1(config)# show run object-group object-group network REMOTES network-object host 172.30.0.50 network-object host 172.30.0.51 object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp fw1(config)# access-list aclout permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC fw1(config)# show run static static(dmz1,outside)192.168.1.10 172.16.0.1 netmask 255.255.255.255 static(dmz1,outside)192.168.1.12 172.16.0.2 netmask 255.255.255.255 static(dmz2,outside)192.168.2.10 172.16.1.1 netmask 255.255.255.255 DMZ1 172.16.1.0.1 DMZ2 192.168.0.0

20 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-20 Displaying Configured Object Groups Displays object groups in the configuration fw1# show run object-group object-group network DMZ1 network-object host 192.168.1.10 network-object host 192.168.1.12 object-group network DMZ2 network-object host 192.168.2.10 object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 show running-config [all] object-group [protocol | service | network | icmp-type | id obj_grp_id] firewall(config)#

21 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-21 Removing Configured Object Groups Removes a specific service object group Removes all object groups or all object groups of a specific type fw1(config)# no object-group network ALL_DMZ fw1(config)# clear config object-group protocol no object-group service obj_grp_id {tcp | udp | tcp- udp} firewall(config)# clear configure object-group [{protocol | service | icmp-type | network}] firewall(config)# Removes a specific protocol, network, or ICMP-type object group no object-group protocol | network | icmp-type obj_grp_id firewall(config)#

22 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-22 Summary You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy. The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify. Members of an object group are defined in its subcommand mode. Hierarchical, or nested, object grouping enables greater flexibility and modularity for specifying entries within ACLs.

Download ppt "© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping."

Similar presentations

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
Cisco IOS Firewall ( CBAC-Context Based Access Control)

Cisco IOS Firewall ( CBAC-Context Based Access Control)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)

1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.


1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)

Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)

Similar presentations

Ads by Google