01-19-2009 10:36 AM - edited 03-11-2019 07:39 AM
with IOS 12.4(20)T, I am able to create network or service objects-groups.
I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.
I didn't found any way to say 'all but my inside networks'.
Then ,I created an object-group containing all public network ranges between private rfc1918 classes:
range 0.0.0.1 9.255.255.255
range 11.0.0.0 169.253.255.255
range 170.0.0.0 172.15.255.255
range 173.0.0.0 192.167.255.255
range 192.169.0.0 223.255.255.255
IOS has nothing to negate a host or a subnet or a network range
I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized
may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.
03-03-2009 08:26 AM
I answer to myself since nobody replies.
Is IOS FW banned from security forum ?
May be it is an ASA internal killer product !
I found in release note (supposedly), that object-group range has an implicit /24 netmask.
So impossible to go beyond C class boundaries.
Then, I replaced it with many subnets using my favourite CIDR calculator.
03-05-2009 10:33 AM
Hi,
Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:
http://forums.cisco.com/eforum/servlet/NetProf?page=Expert_Archive_discussion
To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.
Thanks.
Alex Yeung
03-06-2009 10:15 AM
hi,
thanks for answering.
I suppose you mean 'neq' in service object group (ie tcp neq www).
but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'
Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)
I would have been easier and lighter to negate my private subnets.
I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.
So object-groups must be self-explaining.
03-06-2009 05:27 PM
Thanks for your feedback. I will take it to our engineering team.
Regards,
Alex Yeung
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide