Re: object-groups

mark.johnson · ‎09-28-2006

Hi All,

Been having a play with "object-groups".

Have sussed out "object-groups network" and all my ACL's are working nicely!

Just trying to get my head around "object-groups service".

I have 10-to-20 customers each coming from a specific IP address connecting to my server, but each customer connects using a different port id at my side.

at the moment the config looks something like this:

static (inside,outside) external_ip internal_ip netmask 255.255.255.255 tcp 50 50

time-range allday

periodic daily 6:00 to 23:00

access-list inbound extended permit tcp host cust_a_ip host external_ip eq xxxx1 time-range allday

access-list inbound extended permit tcp host cust_b_ip host external_ip eq xxxx2 time-range allday

access-list inbound extended permit tcp host cust_c_ip host external_ip eq xxxx3 time-range allday

access-list inbound extended permit tcp host cust_d_ip host external_ip eq xxxx4 time-range allday

access-list inbound extended permit tcp host cust_e_ip host external_ip eq xxx10 time-range allday

if I use "object-group network" and "object-groups service" it'll look something like this:

object-group service ports_gr1 tcp

port-object range xxxx1 xxxx5

port-object eq xxx10

object-group network cust_gr1

network-object host cust_a_ip

network-object host cust_b_ip

network-object host cust_c_ip

network-object host cust_d_ip

network-object host cust_e_ip

access-list inbound extended permit tcp object-group network cust_gr1 host external_ip object-group network cust_gr1

Now correct me if I'm wrong...whereas the 1st ACL only allows the specific customer IP to the specific port on that server, the object-group allows ANY of those customer IP's to ANY of those ports on the server?

Is there another way of doing this?

Thanks

--Mark

mmorris11 · ‎09-28-2006

Hmm. I am a little confused by the ACL example and suppose you meant it to read:

access-list inbound extended permit tcp object-group network cust_gr1 host external_ip object-group service ports_gr1

Anyway, I feel your pain as coming up with a useful application for the service based object group can be tricky. In your situation it may be hard to justify the service based group since the context is a "one host to a port" scenario. If each of your customers connected to a smattering of ports then it might be useful to group a unique list of ports together for each customer with the service group. But since it looks like each customer only uses one port right now then each service group would only contain one port. This is the approach you need since you indicated that you don't want other customers getting access to ports they shouldn't.

HTH pls rate!

mark.johnson · ‎09-28-2006

oops typo and I missed the time-range out! You are correct -->

access-list inbound extended permit tcp object-group network cust_gr1 host external_ip object-group service ports_gr1 time-range allday

In-fact have just found out I don't need the "network" or "service" in the ACL

Anyway thanks for the reply!

I think I could probably go with the object-group network and service, grouping the customers ip's and our ports, as we define the port on the customer side when our software is installed.

At the end of the day, yes my ACL's would look nice and neat, but I'd always be thinking how sneaky could the customer be ;o)

Cheers for your help!

--Mark

mmorris11 · ‎09-28-2006

Sure! Yes I also noted that the network and service keywords were unneccessary but to avoid more confusion I just didn't mention it. Also, be advised that when you get really "artistic" with ob groups that while you can trim down the config lines, you can also cause the "real" access list to grow exponentially imposing a big burden on your device resources.

please rate if helpful! THanks!~