How to configure enhanced object group in ASA 8.x and up

Posted: October 6, 2013 in Cisco Security - Firewalls

#object-group service SERVICES
#service-object icmp echo
#service-object tcp destination eq telnet
#service-object udp destination eq syslog

#object network R1
#host 20.0.0.1
#nat (inside,outside) static 160.60.0.1

#access-list OUT-IN extended permit object-group SERVICES host 160.60.0.2 object R1
#access-group OUT-IN in interface outside

ASA1# sh access-list
access-list OUT-IN; 3 elements; name hash: 0x456198c2
access-list OUT-IN line 1 extended permit object-group SERVICES host 160.60.0.2 object R1 (hitcnt=3)
access-list OUT-IN line 1 extended permit icmp host 160.60.0.2 host 20.0.0.1 echo (hitcnt=2)
access-list OUT-IN line 1 extended permit tcp host 160.60.0.2 host 20.0.0.1 eq telnet (hitcnt=1)
access-list OUT-IN line 1 extended permit udp host 160.60.0.2 host 20.0.0.1 eq syslog (hitcnt=0)
ASA1#
##### Theory #####

Object groups allow for combining different type of IP protocols (TCP, UDP), port numbers and ICMP error codes into a single unit. The ACL will have one line for all configured protocols/ports instead of one line per protocol/port.

################################################################

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s