acl and object-groups

Limitless1801 · ‎03-04-2013

Hi,

I need help on clarifying how ACLs and object-groups work. I don't have extensive firewall knowledge so I'll try to explain it as clear as possible.

I have read that basically everything can be an object-group (e.g. "object-group network" "object-group protocol""object-group service", etc). Now, how do you apply that to an ACL.

Let's say I have two subnets and two ports and I do the following:

object-group network Subnet

network-object 192.168.10.0 /24

network-object 192.168.12.0 /24

object-group service Port

port-object 3333

port-object 4444

access-list dmz2_in permit tcp Subnet 172.16.10.0 255.255.255.0 eq Port

access-list inside_in permit tcp 172.16.10.0 255.255.255.0 Subnet eq Port

Are those ACLs valid?

If the 10 subnet is associated with port 3333 and the 12 is with 4444, wouldn't this create security concerns since now I can try to access port 4444 from the 10 subnet as well?

Can I also use an "object-group protocol" and replace tcp with it?

How do you configure your ASA to keep it readable?

I have a few more questions but I want to start by this since I am not sure if I am making sense or not.

Thanks in advance. RG

Jouni Forss · ‎03-04-2013

Hi,

Alot of the time I dont use object-groups but this is mostly due to the fact that most common firewall rules that customer needs added is along the lines of HTTP/HTTPS, SMTP etc. These usually dont require any object-groups

Then theres situation where you really benefit from using "object-group". Im some situations you can use same "object-groups" for both NAT and ACL to make the configurations easy to modify together

Your above configuration format isnt exactly correct. I can't exactly remember if there has been changes to the "service" object-group configuration formats from the past software but this is the same from my own ASA

object-group service SERVICE

service-object tcp destination eq 3333

service-object tcp destination eq 4444

object-group network NETWORKS

network-object 192.168.10.0 255.255.255.0

network-object 192.168.12.0 255.255.255.0

access-list INSIDE-IN extended permit object-group SERVICE object-group NETWORKS 172.16.10.0 255.255.255.0

The above would allow

TCP destination port 3333 and 4444 traffic
- Notice that the "object-group servic SERVICE" is used right after the "permit"
The above traffic would be allowed when source network is either 192.168.10.0/24 or 192.168.12.0/24 and the destination network was 172.16.10.0/24

Heres the same ACL line in "open" form

ASA(config)# sh access-list INSIDE-IN

access-list INSIDE-IN; 4 elements; name hash: 0xf1656621

access-list INSIDE-IN line 1 extended permit object-group SERVICE object-group NETWORKS 172.16.10.0 255.255.255.0 0xdeaaa383

access-list INSIDE-IN line 1 extended permit tcp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 3333 (hitcnt=0) 0x9eb522be

access-list INSIDE-IN line 1 extended permit tcp 192.168.12.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 3333 (hitcnt=0) 0xc70b2f39

access-list INSIDE-IN line 1 extended permit tcp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 4444 (hitcnt=0) 0x1c20018e

access-list INSIDE-IN line 1 extended permit tcp 192.168.12.0 255.255.255.0 172.16.10.0 255.255.255.0 eq 4444 (hitcnt=0) 0xd878ac50

Naturally when you want really specific rules for different networks you dont group them in the same object-groups. So in your above situation both networks 192.168.10.0/24 and 192.168.12.0/24 could connect the other network with destination port TCP/3333 and TCP/4444 and the other way around.

I have to this day had no need to configure a "object-group protocol". I guess it might have its uses but so far I have had no need to use it.

It would be easier to give you an example of how to configure something if you stated what you were after.

- Jouni

Limitless1801 · ‎03-05-2013

Thanks a lot for the explanation. That answered my question.

RG