09-28-2006 06:31 AM - edited 03-09-2019 04:20 PM
Hi All,
Been having a play with "object-groups".
Have sussed out "object-groups network" and all my ACL's are working nicely!
Just trying to get my head around "object-groups service".
I have 10-to-20 customers each coming from a specific IP address connecting to my server, but each customer connects using a different port id at my side.
at the moment the config looks something like this:
static (inside,outside) external_ip internal_ip netmask 255.255.255.255 tcp 50 50
time-range allday
periodic daily 6:00 to 23:00
access-list inbound extended permit tcp host cust_a_ip host external_ip eq xxxx1 time-range allday
access-list inbound extended permit tcp host cust_b_ip host external_ip eq xxxx2 time-range allday
access-list inbound extended permit tcp host cust_c_ip host external_ip eq xxxx3 time-range allday
access-list inbound extended permit tcp host cust_d_ip host external_ip eq xxxx4 time-range allday
access-list inbound extended permit tcp host cust_e_ip host external_ip eq xxx10 time-range allday
if I use "object-group network" and "object-groups service" it'll look something like this:
object-group service ports_gr1 tcp
port-object range xxxx1 xxxx5
port-object eq xxx10
object-group network cust_gr1
network-object host cust_a_ip
network-object host cust_b_ip
network-object host cust_c_ip
network-object host cust_d_ip
network-object host cust_e_ip
access-list inbound extended permit tcp object-group network cust_gr1 host external_ip object-group network cust_gr1
Now correct me if I'm wrong...whereas the 1st ACL only allows the specific customer IP to the specific port on that server, the object-group allows ANY of those customer IP's to ANY of those ports on the server?
Is there another way of doing this?
Thanks
--Mark
09-28-2006 07:25 AM
Hmm. I am a little confused by the ACL example and suppose you meant it to read:
access-list inbound extended permit tcp object-group network cust_gr1 host external_ip object-group service ports_gr1
Anyway, I feel your pain as coming up with a useful application for the service based object group can be tricky. In your situation it may be hard to justify the service based group since the context is a "one host to a port" scenario. If each of your customers connected to a smattering of ports then it might be useful to group a unique list of ports together for each customer with the service group. But since it looks like each customer only uses one port right now then each service group would only contain one port. This is the approach you need since you indicated that you don't want other customers getting access to ports they shouldn't.
HTH pls rate!
09-28-2006 08:51 AM
oops typo and I missed the time-range out! You are correct -->
access-list inbound extended permit tcp object-group network cust_gr1 host external_ip object-group service ports_gr1 time-range allday
In-fact have just found out I don't need the "network" or "service" in the ACL
Anyway thanks for the reply!
I think I could probably go with the object-group network and service, grouping the customers ip's and our ports, as we define the port on the customer side when our software is installed.
At the end of the day, yes my ACL's would look nice and neat, but I'd always be thinking how sneaky could the customer be ;o)
Cheers for your help!
--Mark
09-28-2006 08:56 AM
Sure! Yes I also noted that the network and service keywords were unneccessary but to avoid more confusion I just didn't mention it. Also, be advised that when you get really "artistic" with ob groups that while you can trim down the config lines, you can also cause the "real" access list to grow exponentially imposing a big burden on your device resources.
please rate if helpful! THanks!~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide