Cisco ASA Object Group for Access-List

This topic is to discuss the following lesson:

hi renee ;
dont we have to use access-group command to apply on the interface after we create the access-list ?

Hi Georgi,

For sure, in this lesson I only showed the access-list though.

Rene

Hi Rene,

Waht the difference between network object ad object network

I have found a test config that depicts like

object network obj-10.0.32.0_20
 subnet 10.0.32.0 255.255.240.0
object network obj-10.0.52.0_22
 subnet 10.0.52.0 255.255.252.0
object network obj-10.4.0.0_24
 subnet 10.4.0.0 255.255.255.0
object network obj-10.4.32.0_24
 subnet 10.4.32.0 255.255.2



 network-object 10.0.0.0 255.255.0.0
 network-object 10.1.0.0 255.255.0.0
 network-object 172.16.32.0 255.255.255.0

Wahts the difference in configuring in this way

Hi Asi,

The “object network” command is to configure a single object:

ASA1(config)# object network DMZ
ASA1(config-network-object)# ?

  description  Specify description text
  fqdn         Enter this keyword to specify an FQDN
  help         Help for network object configuration commands
  host         Enter this keyword to specify a single host object
  nat          Enable NAT on a singleton object
  no           Remove an object or description from object
  range        Enter this keyword to specify a range
  subnet       Enter this keyword to specify a subnet

Here you can refer to a single host or subnet. The network-object can be used within an object-group:

ASA1(config)# object-group network DMZ_SERVERS
ASA1(config-network-object-group)# ?

  description     Specify description text
  group-object    Configure an object group as an object
  help            Help for network object-group configuration commands
  network-object  Configure a network object
  no              Remove an object or description from object-group

Here you can see the “network-object” command. The object-group can be used to select multiple network objects.

Rene

Thanks Rene,

I got that but a doubt strike me - lets start with the below configuration:

network object  TEST1
subnet 10.0.0.42.0 255.255.255.0
object-group network dmz
ASA-FW01(config-network-object-group)?
  
  description     Specify description text
  group-object    Configure an object group as an object
  help            Help for network object-group configuration commands
  network-object  Configure a network object
  no              Remove an object or description from object-group
ASA-FW01(config-network-object-group) network-object ?

  network-object-group mode commands/options:
  Hostname or A.B.C.D  Enter an IPv4 network address
  X:X:X:X::X/<0-128>   Enter an IPv6 prefix
  host                 Enter this keyword to specify a single host object
  object               Enter this keyword to specify a network object

FW01(config-network-object-group)# network-object 10.0.32.0 255.255.255.0  
FW01(config-network-object-group)# network-object object TEST1 

So my question is when I can populate the group with this command – network-object 10.0.32.0 255.255.255.0 – why should I create a network-object TEST1 and then place this object-network under the group as FW01(config-network-object-group)
network-object object TEST1

Hi Asi,

You don’t have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:

ASA# show run | incl access-list VIRL
access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS

The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:

ASA# show access-list VIRL      
access-list VIRL; 12 elements; name hash: 0xa226aadb
access-list VIRL line 1 extended permit tcp any object VIRL object-group VIRL_PORTS (hitcnt=5339) 0x34bff8c2 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19399 (hitcnt=5339) 0x10a4e819 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19401 (hitcnt=0) 0x28d7ccd3 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19402 (hitcnt=0) 0xbd35246b 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 range 17000 18000 (hitcnt=1) 0xe834b3a3 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq www (hitcnt=44) 0x9ba2364f 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19400 (hitcnt=0) 0x5a336e3c

By using object-groups, you can make your access-lists shorter and much easier to read.

Rene

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS object-group DMZ_SERVICES

Hi Rene,

I have found on routers that the services object-group has to be specified before the network object-group in an ACL otherwise it throws up errors.
Is the ASA different in this respect?

Matt.

Hello Rene,

How can i add a new Network local/remote ( host / network ) to an existing group in an existing vpn site -site connection in ASA ? what i have to change in the existing configuration of the existing peer connection.

will the add of the new host /network will make the connection down it will not make it down ?

thank you

Hello Rene,

Will the Changing the existing object-group members will drop the VPN traffic ? or not ? if yes , so what is the bet way to add a new member with our doing vpn drop . Thank you Sinan

@Matt which ACL rule did you try on the IOS router?

@Sinan adding new lines to an object group or access-list is no problem. This won’t reset any current connections or anything.

Rene, first I created two object groups:


object-group network guest.net.obj 
 description Guest IP Addresses
 range 20.1.1.50 20.1.1.254
!
object-group service guest.svc.obj 
 description Guest Services
 tcp eq 443
 tcp eq pop3
 tcp eq www
 udp eq domain
 tcp eq 67
 tcp eq 143
 tcp eq 993
 tcp eq 995
 tcp eq smtp

I then added these object groups to an ACL in the incorrect order:


R1842(config-ext-nacl)#permit object-group guest.net.obj object-group guest.svc.obj any 
Object group type mismatch                                                         ^
% Invalid input detected at '^' marker.

Going back a step:


R1842(config-ext-nacl)#permit object-group ?
  WORD Service object group name

Adding them in the correct order:


R1842(config-ext-nacl)#permit object-group guest.svc.obj object-group guest.net.obj any
R1842(config-ext-nacl)#

It seems with routers that the service object-group must be added before the network object-group. This caused me great frustration when I first started using object-groups. My router is an 1841 running c1841-adventerprisek9-mz.151-4.M10.bin

Hi Matt,

I see what you mean. Normally the format of an extended access-list statement looks like this:

So it kinda makes sense to use the service object group in the beginning since you specify the protocol with it. The big difference is that is also includes the port numbers which we normally end at the end of the statement.

Rene

Hello Rene,

I came across a couple of complex ACLs lately and it took me a while to figure out their meaning. I thought it would be worth mentioning some of these in your courses.

object-group service MyProto
service-object tcp destination eq 80
service-object tcp-udp destination eq 9100
service-object tcp-udp destination range 34322 34325
service-object tcp source eq 389

access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

In that example, all services were listed together, including different protocols, destination port or source port. These allowed services were then used in access-lists, between source and destination host groups. The command formatting was really odd…

Cheers.

Hi Jeff,

These can be difficult to read if you find them in the running configuration. If you use the show access-list command, you can see the exact statements that are in effect. For example:

access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

Looks like:

ASA1(config)# show access-list Access_in
access-list Access_in; 24 elements; name hash: 0x49ffabc6
access-list Access_in line 1 extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log informational interval 300 (hitcnt=0) 0x20b02f98 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x7003edd0 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0xa57780eb 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x2635cf29 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0x9d5c28eb 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xb6038e1e 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xe1b23888 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0x3e748362 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0x013364af 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xbefad335 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xf5b22b90 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xa6e822bb 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xabd4e176 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xcccf50dd 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xd92fc437 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x848377f0 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc0e4b258 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x1b0e1b45 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc3caafb1 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xacf16561 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xbe05fae2 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0x83280655 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xde224e26 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0xf97b1cec 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xcbbd37bd

Here are the two object-groups that I created for this example:

ASA1(config)# show run object-group | begin My_hosts  
object-group network My_hosts_1
 network-object host 192.168.1.1
 network-object host 192.168.1.2
object-group network My_hosts_2
 network-object host 192.168.1.3
 network-object host 192.168.1.4

Rene

Hi Rene,

I have doubt in lesson of ASA. You said traffic from higher security level is allowed to go to lower security level but not from lower to higher security level.So how it could be possible for return traffic to flow that coming from lower to higher level?
Please explain.

Hi Bhargavi,

When the ASA sees “new” (originated) traffic from a high security level then it will forward it to lower security level interfaces. The return traffic is automatically permitted.

“new” traffic from a low security level to a higher security level is dropped.

Rene

Hi Rene

this can also be done via ASDM?
I work on Palo Alto FW and Netscreen adn I found using GUI is easier than CLI for me.

Thank you

Cisco ASA Object Group for Access-List

do i need to create 5 different NAT statements to allow outside to dmz?

Hello Ankit

It is possible to configure multiple IP addresses for NAT translation statically to multiple internal services using Policy static NAT. However, unless you exclusively require it, it is always a good idea to have a separate NAT statement for each statically defined NAT translation. This is a cleaner and more understandable configuration.

I hope this has been helpful!

Laz