3.Cisco ASA Object Group for Access-List



Imagine you have to manage a Cisco ASA firewall that has hundreds of hosts and dozens of servers behind it, and for each of these devices we require access-list rules that permit or deny traffic.

With so many devices you will have a LOT of access-list statements and it might become an administrative nightmare to read, understand and update the access-list.

To make our lives a bit easier, Cisco introduced the object-group on Cisco ASA Firewalls (and also on IOS routers since IOS 12.4.20T).

An object-group lets you “group” objects, this could be a collection of IP addresses, networks, port numbers, etc. Instead of creating an access-list with many different statements we can refer to an object-group. This makes the access-list smaller and easier to read. Whenever you make changes in the object-group, these are also reflected in the access-list.

There are different types of object groups, let’s take a look what options we have on the ASA:

ASA1(config)# object-group ?

configure mode commands/options:
  icmp-type  Specifies a group of ICMP types, such as echo
  network    Specifies a group of host or subnet IP addresses
  protocol   Specifies a group of protocols, such as TCP, etc
  security   Specifies identity attributes such as security-group
  service    Specifies a group of TCP/UDP ports/services
  user       Specifies single user, local or import user group

Let me give a quick explanation of each object-group:

  • icmp-type can be used to select all the different ICMP types, for example echo, echo-reply, traceroute, unreachable, etc.
  • network is used to select IP addresses and/or network addresses.
  • protocol lets you select an entire protocol. For example, TCP, UDP, GRE, ESP, AH, OSPF, EIGRP, and many others.
  • security is used for Cisco TrustSec.
  • service is used to select TCP and/or UDP port numbers.
  • user is to select local user groups for Identity Firewall.

In this lesson we will focus on network (used for IP addresses / network addresses) and service (used for TCP/UDP port numbers).

We will take a look at a couple of examples and you will see why object groups are very useful. I’ll start with a simple example for servers in the DMZ. Let’s say we have five web servers in the DMZ. This means we require access to TCP port 80 for their IP addresses. Our access-list could look like this:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.1 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.2 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.3 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.4 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.5 eq 80

This will work but we require 5 statements in our access-list. Let’s see if we can make this smaller by using an object-group. First i’ll delete this access-list:

ASA1(config)# clear configure access-list HTTP_TO_DMZ

Now I will create a network object-group where I configure the IP addresses of all my servers in the DMZ:

ASA1(config)# object-group network WEB_SERVERS
ASA1(config-network-object-group)# network-object host 192.168.3.1
ASA1(config-network-object-group)# network-object host 192.168.3.2
ASA1(config-network-object-group)# network-object host 192.168.3.3
ASA1(config-network-object-group)# network-object host 192.168.3.4
ASA1(config-network-object-group)# network-object host 192.168.3.5

The object-group is ready, now we will create the access-list again and we’ll use the object-group in it:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 80

I reduced the access-list from five statements to just one statement. Instead of specifying each IP address separately, I refer to the object-group. This is useful right? If you look in the configuration you will find this single entry:

ASA1(config)# show run | include HTTP_TO_DMZ
access-list HTTP_TO_DMZ extended permit tcp any object-group WEB_SERVERS eq www

However if you look at the access-list, it will show you both the object-group and the specific entries:

ASA1(config)# show access-list HTTP_TO_DMZ 
access-list HTTP_TO_DMZ; 5 elements; name hash: 0x6ce713ae
access-list HTTP_TO_DMZ line 1 extended permit tcp any object-group WEB_SERVERS eq www (hitcnt=0) 0x0964f55b 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.1 eq www (hitcnt=0) 0x461c3d40 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.2 eq www (hitcnt=0) 0x3413c8db 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.3 eq www (hitcnt=0) 0x5ee1c727 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.4 eq www (hitcnt=0) 0x089ddde7 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.5 eq www (hitcnt=0) 0x68e87688

The previous example should give you a good idea how you can use object groups to make your access-list smaller. Let’s continue by adding some more requirements. Let’s say that our web servers require access to some extra TCP ports…besides TCP port 80 we also need access to 22, 23 and 443.

We could update our access-list to add these ports:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 22
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 23
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 443

This does the job but now we have 4 statements…one for each TCP port. Instead of specifying the TCP port in each statement, we will create another object-group that combines all our TCP ports. Here’s what it will look like:

ASA1(config)# object-group service DMZ_SERVICES tcp
ASA1(config-service-object-group)# port-object eq 22
ASA1(config-service-object-group)# port-object eq 23
ASA1(config-service-object-group)# port-object eq 80
ASA1(config-service-object-group)# port-object eq 443

This time we use a service object-group and it’s called DMZ_SERVICES. We add all the TCP ports that we want to use. We will re-create the access-list to look like this:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS object-group DMZ_SERVICES

We only require a single statement. The first object-group refers to the IP addresses and the second one refers to our TCP ports. Here’s what it looks like in the configuration:

ASA1(config)# show run | include HTTP_TO_DMZ
access-list HTTP_TO_DMZ extended permit tcp any object-group WEB_SERVERS object-group DMZ_SERVICES

And if you want to see everything, use the show access-list command:

ASA1(config)# show access-list HTTP_TO_DMZ
access-list HTTP_TO_DMZ; 20 elements; name hash: 0x6ce713ae
access-list HTTP_TO_DMZ line 1 extended permit tcp any object-group WEB_SERVERS object-group DMZ_SERVICES (hitcnt=0) 0xb4152b1c 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.1 eq ssh (hitcnt=0) 0xe2dd1ce6 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.1 eq telnet (hitcnt=0) 0x43115d63 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.1 eq www (hitcnt=0) 0x461c3d40 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.1 eq https (hitcnt=0) 0x2590b5b6 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.2 eq ssh (hitcnt=0) 0xc4b89091 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.2 eq telnet (hitcnt=0) 0x200aa754 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.2 eq www (hitcnt=0) 0x3413c8db 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.2 eq https (hitcnt=0) 0xf1718bb3 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.3 eq ssh (hitcnt=0) 0xb23e4182 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.3 eq telnet (hitcnt=0) 0x6ca81567 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.3 eq www (hitcnt=0) 0x5ee1c727 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.3 eq https (hitcnt=0) 0x259c30f2 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.4 eq ssh (hitcnt=0) 0x1eb1dd9f 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.4 eq telnet (hitcnt=0) 0x462c5695 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.4 eq www (hitcnt=0) 0x089ddde7 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.4 eq https (hitcnt=0) 0xfba96c4f 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.5 eq ssh (hitcnt=0) 0x71c65631 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.5 eq telnet (hitcnt=0) 0x8b045d29 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.5 eq www (hitcnt=0) 0x68e87688 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.5 eq https (hitcnt=0) 0xee915aaa

That’s 20 statements that we reduced to 1 statement in our access-list because of our object-groups. I hope this lesson has helped to understand object groups but also showed you why they are so useful. If you have any questions, feel free to leave a comment.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more