Re: object-group acl example

w.halliday · ‎06-13-2007

Hi

i'm just converting my ACLs to use object-groups and just wanted ti check the ACLs I have written are OK. To start with I have some ACLs of:

access-list example permit ip 192.x.x.0 255.255.255.0 10.x.0.0 255.255.0.0

and some object-groups of:

object-group network UK_Network

description subnets in use on UK LAN

network-object 192.x.x.x 255.255.255.0

network-object 10.x.0.0 255.255.0.0

object-group network Canada_Network

network-object 10.x.0.0 255.255.0.0

the access-list I have written to use the object-groups is:

access-list example permit ip object-group UK_Network object-group Canada_Network

does this look right?

thanks

Jon Marshall · ‎06-13-2007

Hi

It looks fine other than the 10.x.0.0 entry in the UK_Network object-group. Do you need this.

HTH

Jon

w.halliday · ‎06-13-2007

Hi Jon

my fault with the notation of the subnets- should read:

object-group network UK_Network

description subnets in use on UK LAN

network-object 192.x.x.x 255.255.255.0

network-object 10.20.x.x 255.255.0.0

object-group network Canada_Network

network-object 10.1.x.x 255.255.0.0

the network object-group acl's seem easy enough- would it be Ok if I ran some port, protocol and icmp ACLs past you?

Jon Marshall · ‎06-13-2007

Hi

Yes, no problem at all.

Jon

w.halliday · ‎06-13-2007

thx

here are some object-groups I've written and i'm juts writing the access-lists currently. Also wondering about best testing and implementation method- presumably one access-list at a time and out of hours!?

object-group protocol proto_grp_1

protocol-object udp

object-group service OWA_AD TCP

description TCP ports for Outlook Web Access and Active Directory

port-object eq ldap

port-object eq www

port-object eq domain

port-object eq https

port-object eq 42

port-object eq 88

port-object eq 135

port-object eq 445

port-object eq 3268

port-object eq 3269

object-group service OWA_AD UDP

description UDP ports for Outlook Web Access and Active Directory

port-object eq ldap

port-object eq domain

port-object eq 42

port-object eq 88

port-object eq 135

port-object eq 445

port-object eq 3268

port-object eq 3269

object-group service External_Addresses TCP

description TCP ports for External Addresses

port-object eq www

port-object eq smtp

port-object eq pop3

object-group service External_Addresses UDP

description UDP ports for External Addresses

port-object eq 10000

object-group protocol TCP

protocol-object tcp

w.halliday · ‎06-13-2007

Hi J

my original access-lists are:

access-list if-out permit tcp any host 62.x.x.232 eq www

access-list if-out permit tcp any host 62.x.x.235 eq pop3

access-list if-out permit tcp any host 62.x.x.234 eq smtp

access-list if-out permit tcp any host 62.x.x.234 eq www

access-list if-out permit tcp any host 62.x.x.235 eq www

access-list if-out permit tcp any host 62.x.x.235 eq smtp

new object-groups:

object-group network External_Addresses

description External Addresses

network-object host 62.x.x.234

network-object host 62.x.x.235

updated access-lists:

access-list if-out permit tcp any host 62.x.x.232 eq www

access-list if-out permit tcp any host 62.x.x.235 eq pop3

access-list if-out permit tcp any object-group External_Addresses eq smtp

access-list if-out permit tcp any object-group External_Addresses eq www

how's that look? cheers for help- been sidetracked on to some other stuff unfortunately

Jon Marshall · ‎06-13-2007

Hi

Yes that looks fine to me. I agree that it is best that you test this out of hours just in case you have missed anything.

Let me know how you get on

Jon

w.halliday · ‎06-14-2007

Jon thanks.

I have multiple examples of pairs of rules in separate access-lists which reference the same source and destination networks that are both getting hit- how does this work- do I need both lines?

Jon Marshall · ‎06-14-2007

Will

Could you send an exmaple of what you mean.

Jon

w.halliday · ‎06-14-2007

yup sure

access-list 1 permit ip object-group UK_Network object-group Canada_Network

access-list 2 permit ip object-group UK_Network object-group Canada_Network

both getting hit- why are both needed- wouldn't just one do the job?

Jon Marshall · ‎06-14-2007

Will

Where are these access-lists applied ie. which interfaces on they applied to and in which direction.

ordinarily you don't need to have the same access-lists but without some context it's difficult to say.

Jon

w.halliday · ‎06-14-2007

Hi,

neither are applied with an access-group command. UK_Network is on inside and Canada on outside.

Jon Marshall · ‎06-14-2007

Will

Okay, i'm confused now. How are you getting hits on them if you have not applied them on any interfaces ?

Jon

w.halliday · ‎06-14-2007

good- sort of as that had been confusing me too! this config is something I have inherited and I'm just coming to terms with (and the counters have been cleared recently). I've bene taske dwith cleaning up a config which has had numerous people working on it over last few years.

I have two access-lists applied to interfaces as follows:

access-group if-out-owa in interface outside

access-group inside_access_out in interface inside

access-list if-out-owa permit tcp any host 62.x.x.x eq www

access-list if-out-owa permit tcp any host 62.x.x.x eq https

access-list inside_access_out deny ip any host ip_of_some_virus_server

access-list inside_access_out permit ip any any