topic object-group with network-object containing an IP address range in Network Security

object-group with network-object containing an IP address range

john4665cisco — Tue, 12 Mar 2019 01:25:22 GMT

Hello,

Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':

object-group network test

network-object 192.168.0.0 192.168.63.255

network-object-group mode commands/options:

A.B.C.D Enter an IPv4 network mask

sh run ob id test

object-group network test

network-object 192.168.0.0 192.168.63.255

I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly. Thank you.

-John

object-group with network-object containing an IP address range

john4665cisco — Tue, 09 Apr 2013 04:58:13 GMT

Hello,

Just to clarify my findings. Applying the range of IP addresses:

192.168.0.0 192.168.63.255

to a network-object that resides in an object-group applied to an access list that denies this range, the ASA allows it through:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: testdmz

output-status: up

output-line-status: up

Action: allow

When applying the range with a netmask:

192.168.0.0 255.255.192.0

The ASA drops it as expected:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: testdmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hope this clears up my question, thank you.

-John

Re: object-group with network-object containing an IP address ra

Jouni Forss — Tue, 09 Apr 2013 05:57:56 GMT

Hi.

I am not sure if I missed something but to my understanding there is no option to define a range of IP addresses under the "object-group network".

In the newer softwares you can define an "object network" inside which you can enter a range of IP addresses. This is totally different than the "object-group network". The "object network" became available in the software 8.3(1)

Though it seems you can still enter the mentioned configuration under the "object-group network" in the new software but it wouldnt really make sense.

- Jouni

object-group with network-object containing an IP address range

Julio Carvajal — Tue, 09 Apr 2013 05:58:11 GMT

Hello John,

When you say range of IP addresses do you mean you used the keyword range or you just did it as you showed on the first post as that is incorrect?

Regards

Re: object-group with network-object containing an IP address ra

john4665cisco — Tue, 09 Apr 2013 07:13:03 GMT

Hello,

Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:

192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.

With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".

To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.

Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:

access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8

access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4

access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd

Packet trace results in allowing the "range" of IP address:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmztest

output-status: up

output-line-status: up

Action: allow

Now with the "correct" configuration:

access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8

access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd

access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmztest

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you.

-John

Re: object-group with network-object containing an IP address ra

Jouni Forss — Tue, 09 Apr 2013 07:27:32 GMT

Hi,

I dont know if its a bug or if it was intentionally allowed. Either way, using such configuration under and "object-group" wouldnt make sense

The Command Reference states that its expecting a network address as the first parameter and the network mask as the second parameter

ASA(config-network-object-group)# network-object ?

network-object-group mode commands/options:

Hostname or A.B.C.D Enter an IPv4 network address

ASA(config-network-object-group)# network-object 192.168.0.0 ?

network-object-group mode commands/options:

A.B.C.D Enter an IPv4 network mask

Heres a link to the command "network-object" for ASA software 8.0

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1749092

- Jouni