https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611646#M595386 <HTML><HEAD></HEAD><BODY><P>You can certainly add more ip addresses or subnets to the existing object group that you have defined.</P><P>You can also create different object group to define different ip addresses/subnet.</P><P></P><P>If you would like to block access to certain ip addresses, and allow access for everything else, then you would need to configure the more restrictive rule above the permit any rule as access-list is inspected from top to bottom and it will stop at first match.</P><P></P><P>Hope that makes sense.</P></BODY></HTML> Tue, 04 Jan 2011 11:34:04 GMT Jennifer Halim 2011-01-04T11:34:04Z https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611645#M595381 <P>We have ISA Server which is setup to restrict particular domain groups controlled access, three groups in all (basic-minimum, intermediate-normal and advanced-maximum</P><P></P><P>Is there a way to replicate this setup on our ASA5510</P><P></P><P>E.g. We have an Object group setup (full internet) with assigned (these are various computers/IP's) and then this group allocated to our inside rule with Permit/Any/IP</P><P></P><P>If we were to add all network objects and assign to various groups, could we add more rules to that group to detail any restricted sites/IP?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 19:29:59 GMT https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611645#M595381 mark.a.coleman 2019-03-11T19:29:59Z https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611646#M595386 <HTML><HEAD></HEAD><BODY><P>You can certainly add more ip addresses or subnets to the existing object group that you have defined.</P><P>You can also create different object group to define different ip addresses/subnet.</P><P></P><P>If you would like to block access to certain ip addresses, and allow access for everything else, then you would need to configure the more restrictive rule above the permit any rule as access-list is inspected from top to bottom and it will stop at first match.</P><P></P><P>Hope that makes sense.</P></BODY></HTML> Tue, 04 Jan 2011 11:34:04 GMT https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611646#M595386 Jennifer Halim 2011-01-04T11:34:04Z https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611647#M595390 <HTML><HEAD></HEAD><BODY><P>I thought you were going to say that, rules work from top down until they meet a match to restrict. What I wanted to do is have a group with the rules defined, rather than creating lots of rules one by one.</P></BODY></HTML> Tue, 04 Jan 2011 11:48:55 GMT https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611647#M595390 mark.a.coleman 2011-01-04T11:48:55Z https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611648#M595391 <HTML><HEAD></HEAD><BODY><P>Mark,</P><P>The object group themselves are not rules. May be you can create an object group for all the denies and call that object group in an acl with a deny before adding the permit acl with the object group that has all the hosts and network that you have to permit.</P><P></P><P>example</P><P>object-group network deny-net<BR /> network-object 10.10.10.0 255.255.255.0<BR />object-group network permit-net<BR /> network-object 192.168.0.0 255.255.255.0</P><P></P><P>access-list inside-acl deny ip object-group deny-net any</P><P>access-list inside-acl permit tcp object-group permit-net any eq 80</P><P></P><P>-KS</P></BODY></HTML> Tue, 04 Jan 2011 15:47:06 GMT https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611648#M595391 Kureli Sankar 2011-01-04T15:47:06Z https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611649#M595396 <HTML><HEAD></HEAD><BODY><P>To top KS's comment, you can also group all the services together.</P><P></P><P>From KS's example, if you would like to deny SMTP and HTTP only from "deny-net" object-group, then you can define the following:</P><P></P><P>object-group service deny-service tcp</P><P>&nbsp;&nbsp;&nbsp;&nbsp; port-object eq 25</P><P>&nbsp;&nbsp;&nbsp;&nbsp; port-object eq 80</P><P></P><P>access-list inside-acl deny tcp object-group deny-net any object-group deny-service</P><P></P><P>Here is the command reference for object-group (it also contains examples for your reference):</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Tue, 04 Jan 2011 22:25:12 GMT https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611649#M595396 Jennifer Halim 2011-01-04T22:25:12Z https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611650#M595399 <HTML><HEAD></HEAD><BODY><P>KS, I didn't mean to suggest the groups are rules.</P><P></P><P>Looking at this again it's looking like it could be a big task, if achievable at all.</P><P></P><P>In simple terms I'd want three groups, each with slightly different access permissions to the Internet (wouldn't each object need adding and we don't use static IP for workstations).</P></BODY></HTML> Wed, 05 Jan 2011 09:17:02 GMT https://community.cisco.com/t5/network-security/definingaccess-for-several-groups/m-p/1611650#M595399 mark.a.coleman 2011-01-05T09:17:02Z