cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

334
Views
4
Helpful
4
Replies
Highlighted
Beginner

IOS FW object-group network

with IOS 12.4(20)T, I am able to create network or service objects-groups.

I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.

I didn't found any way to say 'all but my inside networks'.

Then ,I created an object-group containing all public network ranges between private rfc1918 classes:

range 0.0.0.1 9.255.255.255

range 11.0.0.0 169.253.255.255

range 170.0.0.0 172.15.255.255

range 173.0.0.0 192.167.255.255

range 192.169.0.0 223.255.255.255

IOS has nothing to negate a host or a subnet or a network range

I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized

may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.

4 REPLIES 4
Highlighted
Beginner

Re: IOS FW object-group network

I answer to myself since nobody replies.

Is IOS FW banned from security forum ?

May be it is an ASA internal killer product !

I found in release note (supposedly), that object-group range has an implicit /24 netmask.

So impossible to go beyond C class boundaries.

Then, I replaced it with many subnets using my favourite CIDR calculator.

Highlighted
Cisco Employee

Re: IOS FW object-group network

Hi,

Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:

http://forums.cisco.com/eforum/servlet/NetProf?page=Expert_Archive_discussion

To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.

Thanks.

Alex Yeung

Highlighted
Beginner

Re: IOS FW object-group network

hi,

thanks for answering.

I suppose you mean 'neq' in service object group (ie tcp neq www).

but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'

Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)

I would have been easier and lighter to negate my private subnets.

I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.

So object-groups must be self-explaining.

Highlighted
Cisco Employee

Re: IOS FW object-group network

Thanks for your feedback. I will take it to our engineering team.

Regards,

Alex Yeung