topic You're welcome. I'm glad it in Network Security

Access list with multiple object groups

Jason Flory — Tue, 12 Mar 2019 02:33:44 GMT

Hello Everyone,

I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "

I am trying to use object-groups where ever i can. Here is an example.

object-group service obj_Meraki_outbound

service-object tcp destination eq 443

service-object tcp destination eq 80

service-object tcp destination eq 7734

service-object tcp destination eq 7752

service-object udp destination eq 7351

object-group network obj_Meraki_lan

network-object 10.2.11.0 255.255.255.240

network-object 10.5.11.0 255.255.225.240

object-group network obj_Meraki_pub

des This group lists all hosts associated with Meraki.

network-object host 64.156.192.154

network-object host 64.62.142.12

network-object host 64.62.142.2

network-object host 74.50.51.16

network-object host 74.50.56.218

object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351

object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240

object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218

I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"

What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.

Thanks

Access list with multiple object groups

Jouni Forss — Wed, 04 Sep 2013 06:27:16 GMT

Hi,

Could you provide us with the "show accesslist outbound_access" output and also the output of "show run access-group"

It just that it seems that the above configuration should be fine.

- Jouni

Access list with multiple object groups

Marius Gunnerud — Wed, 04 Sep 2013 20:12:03 GMT

The issue you are running into is that you are defining ports where you should be defining which protocol to use

access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub

object-group service obj_Meraki_outbound

service-object tcp destination eq 443

service-object tcp destination eq 80

service-object tcp destination eq 7734

service-object tcp destination eq 7752

service-object udp destination eq 7351

you can either specify the protocol independently or you can use an object-group for it.

object-group protocol PROTOCOLS

protocol-object tcp

protocol-object udp

Then use this in the ACL and place the obj_Meraki_outbound at the end of the ACL...if these are to be destination ports.

access-list outbound_access extended permit object-group PROTOCOLS object-group obj_Meraki_lan object-group obj_Meraki_pub object-group obj_Meraki_outbound

Re: Access list with multiple object groups

Jouni Forss — Wed, 04 Sep 2013 20:16:09 GMT

Hi,

The version he posted also works.

The "object-group" he uses specifies both protocol and port.

Example from my firewall

access-list outbound_access line 1 extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub (hitcnt=0) 0x7c4d1265

access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq https (hitcnt=0) 0x18a14951

access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.62.142.12 eq https (hitcnt=0) 0x127ea116

access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.62.142.2 eq https (hitcnt=0) 0x842644a4

access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 74.50.51.16 eq https (hitcnt=0) 0x1aba7005

- Jouni

Re: Access list with multiple object groups

Marius Gunnerud — Wed, 04 Sep 2013 20:20:05 GMT

Interesting. Everytime I have tried it the way he mentions, I have never gotten it to work. The ASA takes the commands but the ACL is never matched. I see you have 0 hits on the ACL... have you tried generating traffic to see if it is matched?

Re: Access list with multiple object groups

Jouni Forss — Wed, 04 Sep 2013 20:25:40 GMT

Hi,

Seems to work on my test ASA

Attached it to my current LAN interface.

ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 WAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outbound_access in interface LAN

access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub

object-group service obj_Meraki_outbound

service-object tcp destination eq https

service-object tcp destination eq www

service-object tcp destination eq 7734

service-object tcp destination eq 7752

service-object udp destination eq 7351

object-group network obj_Meraki_lan

network-object 10.2.11.0 255.255.255.240

network-object 10.5.11.0 255.255.255.240

object-group network obj_Meraki_pub

description: This group lists all hosts associated with Meraki.

network-object host 64.156.192.154

network-object host 64.62.142.12

network-object host 64.62.142.2

network-object host 74.50.51.16

network-object host 74.50.56.218

Additional Information:

access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691

Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.

- Jouni

Access list with multiple object groups

Jason Flory — Wed, 04 Sep 2013 22:36:10 GMT

Thanks Guys

Yeah i was wondering about specifying type of protocol but as you see my object-group has both TCP and UDP. But it looks like you have addressed that as well.

Im going to give this a shot. I will post back with results.

One other question. These ACLs are for outbound traffic to internet and just want to make sure that I should place the ACL on the inside interface. Is this correct?

Access list with multiple object groups

Jouni Forss — Wed, 04 Sep 2013 22:59:22 GMT

Hi,

Usually you will have INBOUND ACL on each interface controlling traffic.

So if we take a simple example with interfaces "inside" , "dmz" and "outside" then we would usually configure an ACL for each interface and attached it with the "access-group" command in the direction "in" to the interface.

These ACLs will essentially control traffic entering that interface from networks that are located behind that interface. So for example "inside" interfaces ACL in this case would control traffc heading from "inside" towards any other interface (and the networks behind it) on the firewall.

In the same way an ACL attached to the "outside" interface in the direction "in" will control all traffic coming from the external network towards your local networks.

So yes, you should control traffic bound to Internet on the LAN/DMZ interfaces with an ACL attached to the direction "in".

- Jouni

Access list with multiple object groups

Jason Flory — Wed, 04 Sep 2013 23:00:05 GMT

So I tried the above

access-list outbound_access extended permit object-group Protocols object-group obj_Meraki_lan object-group obj_Meraki_pub object-group obj_Meraki_outbound

object-group protocol Protocols

protocol-object TCP

protocol-object UDP

It is still barking at me. Says ob_Meraki_oubound is not a service type which of course it is. I am looking at other examples of ACLs when using enhanced object groups and it seems the service-objects do not go at the end like normal. See this https://supportforums.cisco.com/thread/2063088 When ever i see object-groups being used for service object is goes right after permit protocol type is not required.

Access list with multiple object groups

Jason Flory — Wed, 04 Sep 2013 23:02:15 GMT

This format worked. At least the ASA accepted the acl.

access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub.

I wonder why they change the complete structure of the ACL when you use service objects. AHHG

Re: Access list with multiple object groups

Marius Gunnerud — Thu, 05 Sep 2013 19:34:44 GMT

Hi Jason,

Change the obj_Meraki_outbound object to the following and try again please. (notice the TCP-UDP keyword at the end of the object-group statement)

object-group service obj_Meraki_outbound tcp-udp

service-object tcp destination eq https

service-object tcp destination eq www

service-object tcp destination eq 7734

service-object tcp destination eq 7752

service-object udp destination eq 7351

access-list outbound_access extended permit object-group PROTOCOLS object-group obj_Meraki_lan object-group obj_Meraki_pub object-group obj_Meraki_outbound

You can't define a protocol

Jesse Peden — Thu, 23 Apr 2015 19:26:22 GMT

You can't define a protocol on the object-group and then use service-object entries; if you want to define tcp-udp you will have to use port-object instead of service-object.

Example:

object-group service obj_Meraki_outbound tcp-udp

port-object eq https

port-object eq www

port-object eq 7734

port-object eq 7752

port-object eq 7351

Jesse, funny how your

emeka.ibeto — Tue, 07 Jun 2016 12:42:28 GMT

Jesse, funny how your contribution helped me solve my problem which is slightly different from Jason's problem.

The problem I had was not being able to go beyond:

ASA(config)# access-list problem extended permit object-group services ?

configure mode commands/options:
<cr>
ASA(config)# access-list problem extended permit object-group services

Your message made me look again at my service object group configuration:

object-group service services tcp
port-object range 3000 3500
port-object range 10000 10500

I went ahead to reconfigure it like so:

object-group service services
service-object tcp destination range 3000 3500
service-object tcp destination range 10000 10500

Straight away, I was able to complete the access-list command and apply it.

ASA(config)# access-list problem extended permit object-group services object-group ip1 object-group ip2
ASA(config)#

Thanks guys!

You're welcome. I'm glad it

Jesse Peden — Tue, 07 Jun 2016 13:33:18 GMT

You're welcome. I'm glad it helped to resolve your problem.