with IOS 12.4(20)T, I am able to create network or service objects-groups.
I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.
I didn't found any way to say 'all but my inside networks'.
Then ,I created an object-group containing all public network ranges between private rfc1918 classes:
range 0.0.0.1 22.214.171.124
range 126.96.36.199 188.8.131.52
range 184.108.40.206 220.127.116.11
range 18.104.22.168 22.214.171.124
range 126.96.36.199 188.8.131.52
IOS has nothing to negate a host or a subnet or a network range
I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized
may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.
I answer to myself since nobody replies.
Is IOS FW banned from security forum ?
May be it is an ASA internal killer product !
I found in release note (supposedly), that object-group range has an implicit /24 netmask.
So impossible to go beyond C class boundaries.
Then, I replaced it with many subnets using my favourite CIDR calculator.
Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:
To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.
thanks for answering.
I suppose you mean 'neq' in service object group (ie tcp neq www).
but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'
Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)
I would have been easier and lighter to negate my private subnets.
I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.
So object-groups must be self-explaining.