Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
4
Helpful
4
Replies

IOS FW object-group network

falain
Level 1
Level 1

‎01-19-2009 10:36 AM - edited ‎03-11-2019 07:39 AM

with IOS 12.4(20)T, I am able to create network or service objects-groups.

I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.

I didn't found any way to say 'all but my inside networks'.

Then ,I created an object-group containing all public network ranges between private rfc1918 classes:

range 0.0.0.1 9.255.255.255

range 11.0.0.0 169.253.255.255

range 170.0.0.0 172.15.255.255

range 173.0.0.0 192.167.255.255

range 192.169.0.0 223.255.255.255

IOS has nothing to negate a host or a subnet or a network range

I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized

may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.

Labels:
0 Helpful
4 Replies 4

falain
Level 1
Level 1

‎03-03-2009 08:26 AM

I answer to myself since nobody replies.

Is IOS FW banned from security forum ?

May be it is an ASA internal killer product !

I found in release note (supposedly), that object-group range has an implicit /24 netmask.

So impossible to go beyond C class boundaries.

Then, I replaced it with many subnets using my favourite CIDR calculator.

Alex Yeung
Cisco Employee
Cisco Employee
In response to falain

‎03-05-2009 10:33 AM

Hi,

Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:

http://forums.cisco.com/eforum/servlet/NetProf?page=Expert_Archive_discussion

To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.

Thanks.

Alex Yeung

0 Helpful

falain
Level 1
Level 1
In response to Alex Yeung

‎03-06-2009 10:15 AM

hi,

thanks for answering.

I suppose you mean 'neq' in service object group (ie tcp neq www).

but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'

Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)

I would have been easier and lighter to negate my private subnets.

I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.

So object-groups must be self-explaining.

0 Helpful

Alex Yeung
Cisco Employee
Cisco Employee
In response to falain

‎03-06-2009 05:27 PM

Thanks for your feedback. I will take it to our engineering team.

Regards,

Alex Yeung

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card