https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186787#M360848 <P>Hi, </P><P></P><P> I need help on clarifying how ACLs and object-groups work. I don't have extensive firewall knowledge so I'll try to explain it as clear as possible. </P><P></P><P> I have read that basically everything can be an object-group (e.g. "object-group network" "object-group protocol""object-group service", etc). Now, how do you apply that to an ACL. </P><P></P><P> Let's say I have two subnets and two ports and I do the following:</P><P></P><P> object-group network Subnet</P><P> network-object 192.168.10.0 /24</P><P> network-object 192.168.12.0 /24</P><P></P><P> object-group service Port</P><P> port-object 3333</P><P> port-object 4444</P><P></P><P> access-list dmz2_in permit tcp Subnet 172.16.10.0 255.255.255.0 eq Port</P><P> access-list inside_in permit tcp 172.16.10.0 255.255.255.0 Subnet eq Port</P><P></P><P> Are those ACLs valid? </P><P>If the 10 subnet is associated with port 3333 and the 12 is with 4444, wouldn't this create security concerns since now I can try to access port 4444 from the 10 subnet as well?</P><P>Can I also use an "object-group protocol" and replace tcp with it? </P><P>How do you configure your ASA to keep it readable? </P><P></P><P> I have a few more questions but I want to start by this since I am not sure if I am making sense or not. </P><P></P><P> Thanks in advance. RG</P> Tue, 12 Mar 2019 01:09:30 GMT Limitless1801 2019-03-12T01:09:30Z https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186787#M360848 <P>Hi, </P><P></P><P> I need help on clarifying how ACLs and object-groups work. I don't have extensive firewall knowledge so I'll try to explain it as clear as possible. </P><P></P><P> I have read that basically everything can be an object-group (e.g. "object-group network" "object-group protocol""object-group service", etc). Now, how do you apply that to an ACL. </P><P></P><P> Let's say I have two subnets and two ports and I do the following:</P><P></P><P> object-group network Subnet</P><P> network-object 192.168.10.0 /24</P><P> network-object 192.168.12.0 /24</P><P></P><P> object-group service Port</P><P> port-object 3333</P><P> port-object 4444</P><P></P><P> access-list dmz2_in permit tcp Subnet 172.16.10.0 255.255.255.0 eq Port</P><P> access-list inside_in permit tcp 172.16.10.0 255.255.255.0 Subnet eq Port</P><P></P><P> Are those ACLs valid? </P><P>If the 10 subnet is associated with port 3333 and the 12 is with 4444, wouldn't this create security concerns since now I can try to access port 4444 from the 10 subnet as well?</P><P>Can I also use an "object-group protocol" and replace tcp with it? </P><P>How do you configure your ASA to keep it readable? </P><P></P><P> I have a few more questions but I want to start by this since I am not sure if I am making sense or not. </P><P></P><P> Thanks in advance. RG</P> Tue, 12 Mar 2019 01:09:30 GMT https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186787#M360848 Limitless1801 2019-03-12T01:09:30Z https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186788#M360849 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Alot of the time I dont use object-groups but this is mostly due to the fact that most common firewall rules that customer needs added is along the lines of HTTP/HTTPS, SMTP etc. These usually dont require any object-groups</P><P></P><P>Then theres situation where you really benefit from using "object-group". Im some situations you can use same "object-groups" for both NAT and ACL to make the configurations easy to modify together</P><P></P><P>Your above configuration format isnt exactly correct. I can't exactly remember if there has been changes to the "service" object-group configuration formats from the past software but this is the same from my own ASA</P><P></P><P><STRONG>object-group service SERVICE</STRONG></P><P><STRONG> service-object tcp destination eq 3333</STRONG></P><P><STRONG> service-object tcp destination eq 4444</STRONG></P><P></P><P><STRONG>object-group network NETWORKS</STRONG></P><P><STRONG> network-object 192.168.10.0 255.255.255.0</STRONG></P><P><STRONG> network-object 192.168.12.0 255.255.255.0</STRONG></P><P></P><P><STRONG>access-list INSIDE-IN extended permit object-group SERVICE object-group NETWORKS 172.16.10.0 255.255.255.0</STRONG></P><P></P><P>The above would allow</P><UL><LI>TCP destination port 3333 and 4444 traffic<UL><LI>Notice that the "object-group servic SERVICE" is used right after the "permit"</LI></UL></LI><LI>The above traffic would be allowed when source network is either 192.168.10.0/24 or 192.168.12.0/24 and the destination network was 172.16.10.0/24</LI></UL><P></P><P>Heres the same ACL line in "open" form</P><P></P><P><STRONG>ASA(config)# sh access-list INSIDE-IN</STRONG></P><P><STRONG>access-list INSIDE-IN; 4 elements; name hash: 0xf1656621</STRONG></P><P><STRONG>access-list INSIDE-IN line 1 extended permit object-group SERVICE object-group NETWORKS 172.16.10.0 255.255.255.0 0xdeaaa383</STRONG></P><P><STRONG>&nbsp; access-list INSIDE-IN line 1 extended permit tcp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 3333 (hitcnt=0) 0x9eb522be</STRONG></P><P><STRONG>&nbsp; access-list INSIDE-IN line 1 extended permit tcp 192.168.12.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 3333 (hitcnt=0) 0xc70b2f39</STRONG></P><P><STRONG>&nbsp; access-list INSIDE-IN line 1 extended permit tcp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 4444 (hitcnt=0) 0x1c20018e</STRONG></P><P><STRONG>&nbsp; access-list INSIDE-IN line 1 extended permit tcp 192.168.12.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 4444 (hitcnt=0) 0xd878ac50</STRONG></P><P></P><P></P><P>Naturally when you want really specific rules for different networks you dont group them in the same object-groups. So in your above situation both networks 192.168.10.0/24 and 192.168.12.0/24 could connect the other network with destination port TCP/3333 and TCP/4444 and the other way around.</P><P></P><P>I have to this day had no need to configure a "object-group protocol". I guess it might have its uses but so far I have had no need to use it.</P><P></P><P>It would be easier to give you an example of how to configure something if you stated what you were after.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 04 Mar 2013 21:22:17 GMT https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186788#M360849 Jouni Forss 2013-03-04T21:22:17Z https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186789#M360850 <HTML><HEAD></HEAD><BODY><P>Thanks a lot for the explanation. That answered my question. </P><P></P><P>RG</P></BODY></HTML> Tue, 05 Mar 2013 14:54:54 GMT https://community.cisco.com/t5/network-security/acl-and-object-groups/m-p/2186789#M360850 Limitless1801 2013-03-05T14:54:54Z