© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the object grouping feature of the PIX Firewall and its advantages. Configure object groups. Configure nested object groups. Use object groups in ACLs.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Overview of Object Grouping
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Using Object Groups in ACLs chicago(config)# access-list acl_out permit tcp any host eq http chicago(config)# access-list acl_out permit tcp any host eq https chicago(config)# access-list acl_out permit tcp any host eq ftp chicago(config)# access-list acl_out permit tcp any host eq http chicago(config)# access-list acl_out permit tcp any host eq https chicago(config)# access-list acl_out permit tcp any host eq ftp chicago(config)# access-list acl_out permit tcp any host eq http chicago(config)# access-list acl_out permit tcp any host eq https chicago(config)# access-list acl_out permit tcp any host eq ftp DMZ Internet Web Mail X chicago(config)# show static static(dmz,outside) netmask static(dmz,outside) netmask static(dmz,outside) netmask
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Grouping Objects Group services supported, such as DMZ-Services -HTTP -HTTPS -FTP Group hosts/networks, such as DMZ_Servers Apply group names to ACL chicago(config)# access-list outside permit tcp any object-group DMZ_Servers object-group DMZ_Services chicago(config)# show static static(dmz,outside) netmask static(dmz,outside) netmask static(dmz,outside) netmask DMZ Internet Web Mail X
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Grouping Objects of Similar Types Protocols –TCP –UDP Networks/hosts –Subnet /24 – – Services –HTTP –HTTPS –FTP ICMP –Echo –Echo-reply INSIDE_PROTOCOLS INSIDE_HOSTS DMZ_SERVICES PING chicago(config)# access-list aclout permit tcp any host eq ftp chicago(config)# access-list aclout permit icmp any echo-reply ProtocolsNetwork/hosts Services/ ICMP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Getting Started with Object Groups
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring and Using Object Groups Complete the following tasks to create object groups and use them in your configuration: Task 1Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2In subcommand mode, define the members of the object group. Task 3(Optional.) Use the description subcommand to describe the object group. Task 4Use the exit or quit command to return to configuration mode. Task 5(Optional.) Use the show object-group command to verify that the object group has been configured successfully. Task 6Apply the object group to the access-list command. Task 7(Optional.) Use the show access-list command to display the expanded ACL entries.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Network Object Groups pixfirewall(config)# object-group network Inside_Eng pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config)# object-group network grp_id Assigns a name to the group and enables the Network subcommand mode / /24 Internet Inside_Mktg Inside_Eng
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Service Object Groups pixfirewall(config)# object-group service Host_Services tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq https pixfirewall(config-service)# port-object eq ftp object-group service grp_id {tcp | udp | tcp-udp} pixfirewall(config)# Assigns a name to a Service group and enables the Service subcommand mode / /24 Internet Inside_Mktg DMZ Host_Services - HTTP - HTTPS - FTP Inside_Eng
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Adding Object Groups to an ACL / Internet Inside_Mktg DMZ Host_Services + Inside_Eng /24 Permits outbound Engineering HTTP, HTTPS, and FTP traffic pixfirewall(config)# access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]] pixfirewall(config)# access-list inside permit tcp object-group Inside_Eng any object-group Host_Services
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Protocol Object Groups pixfirewall(config)# object-group protocol ESP_Protocol pixfirewall(config-protocol)# protocol-object 50 object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode / /24 Internet Inside_Mktg DMZ ESP_Protocol - 50 Inside_Eng
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the ICMP- Type subcommand mode / /24 Internet Inside_Mktg DMZ Inside_Eng PING - Echo - Echo-reply
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Nested Object Groups
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Nested Object Groups Group objects; for example, Inside_Eng, Inside_Mktg. Nested groups; for example, Inside_Networks. Apply nested group to ACL. DMZ Internet Inside_Mktg Inside_Eng Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1Create an object group that you want to nest within another object group, such as Inside_Eng. Step 2Add the appropriate type of objects to the object group, such as /24. Step 3Assign an identity to the object group within which you want to nest other object groups, such as Inside_Networks. Step 4Add the first object group to the second object group. Step 5Add any other objects that are required to the group, such as Inside_Mktg.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Nested Object Group Example Object Group Network Create a object group - Inside_Eng - Inside_Mktg Allow inside hosts outbound - HTTP - HTTPS - FTP DMZ Internet Inside_Mktg Inside_Eng Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA group-object Command pixfirewall(config)# object-group network Inside_Eng pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Mktg pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network Inside_Networks pixfirewall(config-network)# group-object Inside-Eng pixfirewall(config-network)# group-object Inside-Mktg group-object object_group_id pixfirewall(config-group-type)# Nests an object group within another object group Inside_Mktg Inside_Eng Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Nested Object Group Example Object Group Services DMZ Internet Inside_Mktg Inside_Eng Host_Services - HTTP - HTTPS - FTP pix1(config)# object-group service Host_Services tcp pix1(config-service)# port-object eq http pix1(config-service)# port-object eq https pix1(config-service)# port-object eq ftp
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Apply Nested Object Group to ACL pixfirewall(config)# access-list aclin permit tcp object-group Inside_Networks any object-group Host_Services Allow all inside hosts outbound - HTTP - HTTPS - FTP DMZ Internet Inside_Mktg Inside_Eng Inside_Networks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Multiple Object Groups in ACLs chicago(config)# show object-group object-group network REMOTES network-object host network-object host object-group network DMZ1 network-object host network-object host object-group network DMZ2 network-object host object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 object-group service BASIC port-object eq http port-object eq smtp pixfirewall(config)# access-list acl out permit tcp object-group REMOTES object-group ALL_DMZ object-group BASIC pixfirewall(config)# show static static(dmz1,outside) netmask static(dmz1,outside) netmask static(dmz2,outside) netmask DMZ DMZ
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Displaying Configured Object Groups Displays object groups in the configuration pixfirewall# show object-group object-group network DMZ1 network-object host network-object host object-group network DMZ2 network-object host object-group network ALL_DMZ group-object DMZ1 group-object DMZ2 show object-group [protocol | service | icmp-type | network] pixfirewall(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Removing Configured Object Groups Removes a specific service object group Removes all object groups or all object groups of a specific type pixfirewall(config)# no object-group network ALL_DMZ pixfirewall(config)# clear object-group protocol no object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# clear object-group [protocol | service | icmp-type | network] pixfirewall(config)# Removes a specific protocol, network, or icmp-type object group no object-group protocol | network | icmp-type grp_id pixfirewall(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary You can group network objects, services, protocols, and ICMP message types to reduce the number of ACEs required to implement your security policy. The main object grouping command, the object-group command, names your object group and enables a subcommand mode for the type of object you specify. Members of an object group are defined in its subcommand mode. Hierarchical object grouping enables greater flexibility and modularity for specifying entries within ACLs.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web/FTP RBB.2 bastionhost: Web/FTP P Q.0 bastionhost: Web/FTP.1