Hi Rene,
I have a small query…
How can we configure list of sequence hosts (192.168.1.34 to 192.168.1.65) in an object group?
We can’t use specific mask like /27 here in this case…
Can you please help?
Hello Vijay
You can create a network object that specifies a specific range of address like so:
ASA1(config)# object network my_range
ASA1(config-network-object)# range 192.168.1.0 192.168.1.20
ASA1(config-network-object)# exit
You can then create an object group that references that object like so:
ASA1(config)# object-group network range_group
ASA1(config-network-object-group)# network-object object my_range
ASA1(config-network-object-group)# exit
ASA1(config)#
I hope this has been helpful!
Laz
2 Likes
ASA1(config)# access-list ALL_OUTBOUND permit udp any host 192.168.2.2 eq 53
in this line we permit from inside and DMZ network connected to outside zone for ip 192.168.2.2 and protocol dns
ASA1(config)# access-list ALL_OUTBOUND deny udp any any eq 53
and now, what does it mean this line? this restriction for our network (dmz and inside) that they coludn’t connected for this ip another protocol ?
ASA1(config)# access-list ALL_OUTBOUND permit ip any any
this line permit what ?
I’m comfused , what different in the line 1 and line 2
Please, help me understand.
Hello Teymur
I’m not sure from which lesson these commands come from, but in any case, I’ll explain each one for you:
ASA1(config)# access-list ALL_OUTBOUND permit udp any host 192.168.2.2 eq 53
This access list will permit UDP traffic using port 53 (DNS) from any source to a destination of 192.168.2.2. If this destination is reached via the OUTSIDE interface, and if the ACL is applied outbound on that interface, then only DNS traffic to that particular destination is allowed.
Now, remember that there is an explicit deny any any at the end of all extended access lists. If that was the only entry in the ACL, then only that traffic would be allowed, and everything else would not be permited.
But because it seems that only the DNS traffic is to be restricted, the next entry in the ACL does just that:
ASA1(config)# access-list ALL_OUTBOUND deny udp any any eq 53
This entry will block all DNS traffic to any other destination. So this entry, together with the one before it, restrict DNS traffic only to a single DNS server, which is at 192.168.2.2.
Now if we left it at that, all the rest of the traffic would also be denied due to the explicit deny any any entry mentioned before. And this is why we need the third entry of:
ASA1(config)# access-list ALL_OUTBOUND permit ip any any
Now this will allow everything! So by placing the three commands in this particular order, any DNS traffic destined for 192.168.2.2 will be allowed, any DNS traffic to any other address will be filtered out, and all other traffic of all types to all destinations will also be allowed.
I hope this has been helpful!
Laz
1 Like
Hello Rene,
Sorry I don’t have emulator to pratice so after I read above views, l have a little confused.
If I want to accept for exsample destination tcp(53) & udp(53) at the same time.
I can only configure :
object-group service DNS
tcp eq 53
udp eq 53
access-list OUT-DNS-IN object OUTSIDE object INSIDE object-group DNS
- Or can use below grammer or only can chose one of them(tcp or udp) ?
object-group service [DNS] tcp
port-object eq 53
object-group service [DNS] udp
port-object eq 53
Hello Lin
One option would be to create an object like so:
ASA(config)# object-group service DNS
ASA(config-service-object-group)# service tcp destination eq 53
ASA(config-service-object-group)# service udp destination eq 53
ASA(config-service-object-group)# exit
ASA(config)#
The alternative would be to create two different objects like so:
ASA(config)# object-group service DNS-tcp tcp
ASA(config-service-object-group)# port-object eq 53
ASA(config-service-object-group)# exit
ASA(config)# object-group service DNS-udp TCP
ASA(config-service-object-group)# port-object eq 53
ASA(config-service-object-group)# exit
And then call both objects.
However, the goal of object groups is to make configurations as concise as possible. That’s why cisco also has the option of specifying both TCP and UDP like so:
ASA(config)# object-group service DNS
ASA(config-service-object-group)# service tcp-udp destination eq 53
ASA(config-service-object-group)# exit
ASA(config)#
The same is possible with the following command as well
ASA(config)# object-group service DNS tcp-udp
The tcp-udp keyword uses both protocols simultaneously.
I hope this has been helpful!
Laz
Hi,
One more question about the option between protocol and service are they the same fuction?
And is there any way or orther tools can pracitce ASA. My GNS3 can’t work in ASA.bin.
Hello TE-EN LIN
The protocol option allows you to define a group of protocols. The options provided can be seen below:
myASA(config)# object-group protocol PROTOCOLGROUP
myASA(config-protocol-object-group)# ?
description Specify description text
group-object Configure an object group as an object
help Help for protocol object-group configuration commands
no Remove an object or description from object-group
protocol-object Configure a protocol object
myASA(config-protocol-object-group)# protocol-object ?
protocol-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
myASA(config-protocol-object-group)# protocol-object
You can see protocol groups include various mechanisms including icmp, gre, eigrp, ipsec, ip, and so on.
Now if you use the service option, you can define a mixed group of services. It is somewhat more powerful than the protocol keyword. Indeed Cisco recommends you use the service option rather than the protocol option.
Take a look at this command reference for more information:
I hope this has been helpful!
Laz