cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
4
Helpful
4
Replies

IOS FW object-group network

falain
Level 1
Level 1

with IOS 12.4(20)T, I am able to create network or service objects-groups.

I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.

I didn't found any way to say 'all but my inside networks'.

Then ,I created an object-group containing all public network ranges between private rfc1918 classes:

range 0.0.0.1 9.255.255.255

range 11.0.0.0 169.253.255.255

range 170.0.0.0 172.15.255.255

range 173.0.0.0 192.167.255.255

range 192.169.0.0 223.255.255.255

IOS has nothing to negate a host or a subnet or a network range

I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized

may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.

4 Replies 4

falain
Level 1
Level 1

I answer to myself since nobody replies.

Is IOS FW banned from security forum ?

May be it is an ASA internal killer product !

I found in release note (supposedly), that object-group range has an implicit /24 netmask.

So impossible to go beyond C class boundaries.

Then, I replaced it with many subnets using my favourite CIDR calculator.

Hi,

Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:

http://forums.cisco.com/eforum/servlet/NetProf?page=Expert_Archive_discussion

To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.

Thanks.

Alex Yeung

hi,

thanks for answering.

I suppose you mean 'neq' in service object group (ie tcp neq www).

but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'

Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)

I would have been easier and lighter to negate my private subnets.

I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.

So object-groups must be self-explaining.

Thanks for your feedback. I will take it to our engineering team.

Regards,

Alex Yeung

Review Cisco Networking for a $25 gift card