Object groups creation

venkat_n7 · ‎09-03-2019

Hi,

I have a question in creating most effective way on object-groups.

I have two hosts in different public cloud coming into my onprem network and talking to two hosts in same network behind firewall, what would be the best way to create object-groups and make acls.

options:

1. should i create separate object-group for each host and make an acl accordingly.

2. should i create a single object-group for hosts in public cloud and another object-group for hosts in internal work and map them with acl.

3. should i create separate object-group for each host on public cloud, single object-group for internal hosts and create 2 acl's mapping first public object-group with internal object-group and second object-group with internal object-group.

Please provide me suggestions, as connections coming from public network i want firewall rules to be more precise.

Please rate comments and support
with regards,
Venkat

balaji.bandi · ‎09-04-2019

Personally i would go with One Object Group for external one, and one for internal one.

Since most of the traffic coming from outside interface and going to inside interface.

Until you have different nameif and different context in place.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Karsten Iwen · ‎09-04-2019

The question is more what your security-policy mandates here. If you use the host-to-host approach (probably also including services) that it is more precise, but also more work. But typically this is the way to go to only allow the traffic that is really needed.