Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
5
Replies

Definingaccess for several groups

mark.a.coleman
Level 1
Level 1

‎01-04-2011 03:19 AM - edited ‎03-11-2019 12:29 PM

We have ISA Server which is setup to restrict particular domain groups controlled access, three groups in all (basic-minimum, intermediate-normal and advanced-maximum

Is there a way to replicate this setup on our ASA5510

E.g. We have an Object group setup (full internet) with assigned (these are various computers/IP's) and then this group allocated to our inside rule with Permit/Any/IP

If we were to add all network objects and assign to various groups, could we add more rules to that group to detail any restricted sites/IP?

Thanks

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎01-04-2011 03:34 AM

You can certainly add more ip addresses or subnets to the existing object group that you have defined.

You can also create different object group to define different ip addresses/subnet.

If you would like to block access to certain ip addresses, and allow access for everything else, then you would need to configure the more restrictive rule above the permit any rule as access-list is inspected from top to bottom and it will stop at first match.

Hope that makes sense.

0 Helpful

mark.a.coleman
Level 1
Level 1
In response to Jennifer Halim

‎01-04-2011 03:48 AM

I thought you were going to say that, rules work from top down until they meet a match to restrict. What I wanted to do is have a group with the rules defined, rather than creating lots of rules one by one.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to mark.a.coleman

‎01-04-2011 07:47 AM

Mark,

The object group themselves are not rules. May be you can create an object group for all the denies and call that object group in an acl with a deny before adding the permit acl with the object group that has all the hosts and network that you have to permit.

example

object-group network deny-net
network-object 10.10.10.0 255.255.255.0
object-group network permit-net
network-object 192.168.0.0 255.255.255.0

access-list inside-acl deny ip object-group deny-net any

access-list inside-acl permit tcp object-group permit-net any eq 80

-KS

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kureli Sankar

‎01-04-2011 02:25 PM

To top KS's comment, you can also group all the services together.

From KS's example, if you would like to deny SMTP and HTTP only from "deny-net" object-group, then you can define the following:

object-group service deny-service tcp

     port-object eq 25

     port-object eq 80

access-list inside-acl deny tcp object-group deny-net any object-group deny-service

Here is the command reference for object-group (it also contains examples for your reference):

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1750094

Hope that helps.

0 Helpful

mark.a.coleman
Level 1
Level 1
In response to Jennifer Halim

‎01-05-2011 01:17 AM

KS, I didn't mean to suggest the groups are rules.

Looking at this again it's looking like it could be a big task, if achievable at all.

In simple terms I'd want three groups, each with slightly different access permissions to the Internet (wouldn't each object need adding and we don't use static IP for workstations).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card