CISCO ASA - Objects | PDF | Internet Protocol Suite | Computer Network
Scribd
Upload
104 views

CISCO ASA - Objects

Objects are reusable components in Cisco ASA configurations that can represent IP addresses, services, and other entities. There are two main types of objects - network objects and service objects. Object groups allow similar objects to be grouped together for easy reference in access control lists and security policies. Common object group types include network, protocol, service, and ICMP type groups. Object groups can be nested to efficiently organize related objects.

Uploaded by

jsinghengineer1
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
104 views

CISCO ASA - Objects

Objects are reusable components in Cisco ASA configurations that can represent IP addresses, services, and other entities. There are two main types of objects - network objects and service objects. Object groups allow similar objects to be grouped together for easy reference in access control lists and security policies. Common object group types include network, protocol, service, and ICMP type groups. Object groups can be nested to efficiently organize related objects.

Uploaded by

jsinghengineer1
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Presents …

CISCO ASA OBJECTS


Objects

Objects are reusable components for use in our configuration. We can define and use them in
Cisco ASA configurations in the place of IP addresses, services and so on.

We create objects only once and refers them anywhere in the configuration.

Objects make it easy to maintain our configurations because we can modify an object in one
place and have it be reflected in all other places that are referencing it.

For example, if we are using IP address and subnet mask in multiple features in our configuration
and we want to modify it then we have to change it every place manually but if we use object of
same IP address then we would just modify the object definition and change would be reflected
in very pace where it is referred.

Types of Objects

Two types of objects

 Network Object
 Service Object

Network Object

 A network object can contain a host, a network IP address, a range of IP addresses.


 We can also enable NAT rules on the object.
 Create or edit a network object using the object name: object network <object_name>
Service Object

 A service object can contain a single protocol specification.


 Create or edit a service object using the object name: object service <object_name>

OBJECT GROUPS

Object groups allow us to create groups of related information that we apply to our filtering
policies, thereby reducing the number of filtering commands that we have to enter.

Once we have created groups of objects, we can include them in our ACL commands to permit or
deny packets based on matches in the object groups.

Advantages of Object Group

 If we need to define a filtering policy that denies telnet traffic from 192.168.10.11 to
192.168.20.22, we could easily accomplish this with a single ACL command.

However, if we have a list of ten clients trying to access three servers for both telnet and
e-mail, the filtering configuration becomes very complex when using ACLs alone.

So to make this task easy we could use object groups to create a network group for the ten
clients, a network group for the three servers, and a service group for telnet and e-mail, and then
use these groupings in a single ACL command.

 We can embed an object group within another object group; this is called nesting.

For example, we might have two network object groups, and want to create a filter that includes
both groups. Originally, this would require two ACL statements.
To solve this problem, we can create a third object group and can include the first two network
object groups within this new group. Then create a single ACL statement that references the
object group that includes the nesting of the two specific object groups.

Types of Object Groups

We can create the following types of object groups

 Network – Used for grouping of hosts or subnets


 Protocol – Used for grouping of IP protocols, like IP, ICMP, TCP, UDP, or other IP protocols
 Service – Used for group of TCP or UDP applications
 ICMP type – Used for grouping of ICMP messages
 Security – Used in features that support Cisco TrustSec architecture
 User - Used in features that support the identity firewall

Network Object Groups


We can create a group of network objects that specify host addresses or subnets and use this
network object group in our ACL commands.

ciscoasa(config)# object-group network group_ID


ciscoasa(config-network)# network-object host host_address
ciscoasa(config-network)# network-object network_address subnet_mask

hostname (config)# object-group network admins


hostname (config-network)# description Administrator Addresses
hostname (config-network)# network-object host 10.1.1.4
hostname (config-network)# network-object host 10.1.1.78
hostname (config-network )# network-object host 10.1.1.34

Protocol Object Groups


We can create a group of IP protocols like TCP, UDP or ICMP and use this group in our ACL
commands.

ciscoasa(config)# object-group protocol group_ID


ciscoasa(config-protocol)# protocol-object protocol_name_or_number
hostname (config)# object-group protocol tcp_udp_icmp
hostname (config-protocol)# protocol-object tcp
hostname (config-protocol)# protocol-object udp
hostname (config-protocol)# protocol-object icmp

Service Object Groups

We can create a group of TCP and UDP applications or ports and use this group in our ACL
statements.

ciscoasa(config)# object-group service group_ID {tcp | udp | tcp-udp}


ciscoasa(config-service)# port-object eq port_name_or_number
ciscoasa(config-service)# port-object range first_port last_port

hostname (config)# object-group service services1 tcp-udp


hostname (config-service)# description DNS Group
hostname (config-service)# port-object eq domain
hostname (config)# object-group service services2 udp
hostname (config-service)# description RADIUS Group
hostname (config-service)# port-object eq radius
hostname (config-service)# port-object eq radius-acct
hostname (config)# object-group service services3 tcp
hostname (config-service)# description LDAP Group
hostname (config-service)# port-object eq ldap

ICMP Object Groups


We can create an object group for ICMP messages and use this group in your ACL statements.

ciscoasa(config)# object-group icmp-type group_ID


ciscoasa(config-icmp-type)# icmp-object ICMP_message

hostname (config)# object-group icmp-type ping


hostname (config-service)# description Ping Group
hostname (config-service)# icmp-object echo
hostname (config-service)# icmp-object echo-reply

Security Group Object Groups


We can create security group object groups for use in features that support Cisco TrustSec
Architecture by including the group in an extended ACL, which in turn can be used in an access rule.

When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE
(Identity Services Engine).

ciscoasa(config)# object-group security group_ID


ciscoasa(config)# security-group name <name>

hostname(config)# object-group security mktg-sg


hostname(config-security-object-group)# security-group tag 1
hostname(config-security-object-group)# security-group name mgkt

*Security group names are created on the ISE.


*Tag is a number from 1 to 65533 and is assigned to a device by ISE.

User Group Object Groups


We can create local user groups for use in features that support the identity firewall by including the
group in an extended ACL, which in turn can be used in an access rule.

The Identity Firewall in the ASA provides access control based on user’s identities. We can configure
access rules and security policies based on user names and user group names rather than through
source IP addresses. The Identity Firewall integrates with Microsoft Active Directory in conjunction
with an external Active Directory (AD) Agent.

ciscoasa(config)#object-group user group_ID

hostname(config)# object-group user admins


hostname(config-user-object-group)# user EXAMPLE\admin
hostname(config-user-object-group)# user-group EXAMPLE\\managers

Object Group Nesting


We can embed an object group within another object group.

hostname (config)# object-group network eng


hostname (config-network)# network-object host 10.1.1.5
hostname (config-network)# network-object host 10.1.1.9
hostname (config-network)# network-object host 10.1.1.89

hostname (config)# object-group network hr


hostname (config-network)# network-object host 10.1.2.8
hostname (config-network)# network-object host 10.1.2.12

hostname (config)# object-group network finance


hostname (config-network)# network-object host 10.1.4.89
hostname (config-network)# network-object host 10.1.4.100

We then nest all three groups together as follows:

hostname (config)# object-group network admin


hostname (config-network)# group-object eng
hostname (config-network)# group-object hr
hostname (config-network)# group-object finance
Examining Your Object Groups

ciscoasa# show run object-group [protocol | network | service | icmp-type]


ciscoasa# show run object-group

ciscoasa# show run object-group id <group_ID >

Deleting Object Groups

To remove all object groups on your appliance

ciscoasa(config)# clear configure object-group [protocol | network |services | icmp-type]


ciscoasa(config)# clear configure object-group

To remove a specific object group:

ciscoasa(config)# no object-group <type> <group_ID>

Note: We cannot remove an object group or make an object group empty if it is used in an access
list.
inspectingfirewalls@gmail.com

https://www.facebook.com/groups/inspectingfirewalls

You might also like