ebook img

Object Groups for ACLs PDF

20 Pages·2017·1.42 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Object Groups for ACLs

Object Groups for ACLs TheObjectGroupsforACLsfeatureletsyouclassifyusers,devices,orprotocolsintogroupsandapply thesegroupstoaccesscontrollists(ACLs)tocreateaccesscontrolpoliciesforthesegroups.Thisfeature letsyouuseobjectgroupsinsteadofindividualIPaddresses,protocols,andports,whichareusedin conventionalACLs.Thisfeatureallowsmultipleaccesscontrolentries(ACEs).YoucanuseeachACEto allowanentiregroupofuserstoaccessagroupofserversorservicesortodenythemaccess;therebyreducing thesizeofanACLandimprovingmanageability. Thismoduledescribesobject-groupACLswithzone-basedpolicyfirewallsandhowtoconfigurethemfor zone-basedfirewalls. • FindingFeatureInformation, page 1 • RestrictionsforObjectGroupsforACLs, page 1 • InformationAboutObjectGroupsforACLs, page 2 • HowtoConfigureObjectGroupsforACLs, page 4 • ConfigurationExamplesforObjectGroupsforACLs, page 16 • AdditionalReferencesforObjectGroupsforACLs, page 18 • FeatureInformationforObjectGroupsforACLs, page 19 Finding Feature Information Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveatsand featureinformation,seeBugSearchToolandthereleasenotesforyourplatformandsoftwarerelease.To findinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheach featureissupported,seethefeatureinformationtable. UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport. ToaccessCiscoFeatureNavigator,gotowww.cisco.com/go/cfn.AnaccountonCisco.comisnotrequired. Restrictions for Object Groups for ACLs ThefollowingrestrictionsapplytotheObjectGroupsforACLsfeatureonzone-basedfirewalls: Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 1 Object Groups for ACLs Information About Object Groups for ACLs •IPv6isnotsupported. •Dynamicandper-useraccesscontrollists(ACLs)arenotsupported. •YoucannotremoveanobjectgroupormakeanobjectgroupemptyifitisusedinanACL. •ACLstatementsusingobjectgroupswillbeignoredonpacketsthataresenttoRPforprocessing. •ObjectgroupsaresupportedonlyforIPextendedACLs. Information About Object Groups for ACLs Overview of Object Groups for ACLs Inlargenetworks,thenumberoflinesinanaccesscontrollist(ACL)canbelarge(hundredsoflines)and difficulttoconfigureandmanage,especiallyiftheACLsfrequentlychange.Objectgroup-basedACLsare smaller,morereadable,andeasiertoconfigureandmanage.Object-group-basedACLssimplifystaticACL deploymentsforlargeuseraccessenvironmentsonCiscoIOSrouters.Thezone-basedfirewallbenefitsfrom objectgroups,becauseobjectgroupssimplifypolicycreation(forexample,groupAhasaccesstogroupA services). Youcanconfigureconventionalaccesscontrolentries(ACEs)andACEsthatrefertoobjectgroupsinthe sameACL.Youcanuseobject-group-basedACLswithqualityofservice(QoS)matchcriteria,zone-based policyfirewall,DynamicHostConfigurationProtocol(DHCP),andanyotherfeaturesthatuseextended ACLs. Inaddition,youcanuseobject-group-basedACLswithmulticasttraffic.Whentherearemanyinboundand outboundpackets,usingobjectgroup-basedACLsincreasesperformancecomparedtoconventionalACLs. Also,inlargeconfigurations,thisfeaturereducesthestoragerequiredinNVRAM,becauseyouneednot defineanindividualACEforeveryaddressandprotocolpairing. Integration of Zone-Based Firewalls with Object Groups Zone-basedfirewallsuseobject-groupaccesscontrollists(ACLs)toapplypoliciestospecifictraffic.You defineanobject-groupACL,associateitwithazone-basedfirewallpolicy,andapplythepolicytoazone pairtoinspectthetraffic. InCiscoIOSXERelease3.12S,onlyexpandedobject-groupACLsaresupportedwithfirewalls. Thefollowingfeaturesworkwithobjectgroupsthatareconfiguredonafirewall: •Staticanddynamicnetworkaddresstranslation(NAT) •ServiceNAT(NATthatsupportsnon-standardFTPportnumbersconfiguredbytheipnatservice command) •FTPapplicationlayergateway(ALG) •SessionInitiationProtocol(SIP)ALG Inaclassmap,youcanconfigureamaximumof64matchingstatementsusingthematchaccess-group command. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 2 Object Groups for ACLs Objects Allowed in Network Object Groups Objects Allowed in Network Object Groups Anetworkobjectgroupisagroupofanyofthefollowingobjects: •AnyIPaddress—includesarangefrom0.0.0.0to255.255.255.255(Thisisspecifiedusingtheany command.) •HostIPaddresses •Hostnames •Othernetworkobjectgroups •Subnets •HostIPaddresses •Networkaddressofgroupmembers •Nestedobjectgroups Objects Allowed in Service Object Groups Aserviceobjectgroupisagroupofanyofthefollowingobjects: •Sourceanddestinationprotocolports(suchasTelnetorSimpleNetworkManagementProtocol[SNMP]) •InternetControlMessageProtocol(ICMP)types(suchasecho,echo-reply,orhost-unreachable) •Top-levelprotocols(suchasEncapsulatingSecurityPayload[ESP],TCP,orUDP) •Otherserviceobjectgroups ACLs Based on Object Groups Allfeaturesthatuseorreferenceconventionalaccesscontrollists(ACLs)arecompatiblewith object-group-basedACLs,andthefeatureinteractionsforconventionalACLsarethesamewith object-group-basedACLs.ThisfeatureextendstheconventionalACLstosupportobject-group-basedACLs andalsoaddsnewkeywordsandthesourceanddestinationaddressesandports. Youcanapplyobject-group-basedACLstointerfacesthatareconfiguredinaVPNroutingandforwarding (VRF)instanceorfeaturesthatareusedwithinaVRFcontext. Youcanadd,delete,orchangeobjectsinanobjectgroupmembershiplistdynamically(withoutdeletingand redefiningtheobjectgroup).Also,youcanadd,delete,orchangeobjectsinanobjectgroupmembershiplist withoutredefiningtheACLaccesscontrolentry(ACE)thatusestheobjectgroup.Youcanaddobjectsto groups,deletethemfromgroups,andthenensurethatchangesarecorrectlyfunctioningwithinthe object-group-basedACLwithoutreapplyingtheACLtotheinterface. Youcanconfigureanobject-group-basedACLmultipletimeswithasourcegrouponly,adestinationgroup only,orbothsourceanddestinationgroups. YoucannotdeleteanobjectgroupthatisusedwithinanACLoraclass-basedpolicylanguage(CPL)policy. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 3 Object Groups for ACLs Guidelines for Object Group ACLs Guidelines for Object Group ACLs •Objectgroupsmusthaveuniquenames.Forexample,tocreateanetworkobjectgroupnamed “Engineering”andaserviceobjectgroupnamed“Engineering,”youmustaddanidentifier(ortag)toat leastoneobjectgroupnametomakeitunique.Forexample,youcanusethenames“Engineering-admins” and“Engineering-hosts”tomaketheobjectgroupnamesuniqueandtomakeiteasierforidentification. •Additionalobjectscanbeaddedtoanexistingobjectgroup.Afteraddinganobjectgroup,youcanadd moreobjectsasrequiredforthesamegroupname.Youdonotneedtoreenterexistingobjects;the previousconfigurationremainsinplaceuntiltheobjectgroupisremoved. •Differentobjectscanbegroupedtogether.Forexample,objectssuchashosts,protocols,orservicescan begroupedtogetherandconfiguredunderthesamegroupname.Networkobjectscanbedefinedonly underanetworkgroup,andserviceobjectscanbedefinedonlyunderaservicegroup. •Whenyoudefineagroupwiththeobject-groupcommandanduseanysecurityappliancecommand, thecommandappliestoeveryiteminthatgroup.Thisfeaturecansignificantlyreduceyourconfiguration size. How to Configure Object Groups for ACLs ToconfigureobjectgroupsforACLs,youfirstcreateoneormoreobjectgroups.Thesecanbeanycombination ofnetworkobjectgroups(groupsthatcontainobjectssuchas,hostaddressesandnetworkaddresses)orservice objectgroups(whichuseoperatorssuchaslt,eq,gt,neq,andrangewithportnumbers).Then,youcreate accesscontrolentries(ACEs)thatapplyapolicy(suchaspermitordeny)tothoseobjectgroups. Creating a Network Object Group Anetworkobjectgroupthatcontainsasingleobject(suchasasingleIPaddress,ahostname,anothernetwork objectgroup,orasubnet)ornestedobjects(multiplenetworkobjectgroupscanbedefinedinsinglenetwork objectgroup),iswithanetworkobject-group-basedACLtocreateaccesscontrolpoliciesfortheobjects. Performthistasktocreateanetworkobjectgroup. SUMMARY STEPS 1. enable 2. configureterminal 3. object-groupnetworkobject-group-name 4. descriptiondescription-text 5. host{host-address|host-name} 6. network-address{/nn|network-mask} 7. any 8. group-objectnested-object-group-name 9. Repeatthestepsuntilyouhavespecifiedobjectsonwhichyouwanttobaseyourobjectgroup. 10. end Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 4 Object Groups for ACLs Creating a Network Object Group DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Device> enable Step 2 configureterminal Entersglobalconfigurationmode. Example: Device# configure terminal Step 3 object-groupnetworkobject-group-name Definestheobjectgroupnameandentersnetworkobject-group configurationmode. Example: Device(config)# object-group network my-network-object-group Step 4 descriptiondescription-text (Optional)Specifiesadescriptionoftheobjectgroup. •Youcanuseupto200characters. Example: Device(config-network-group)# description test engineers Step 5 host{host-address|host-name} (Optional)SpecifiestheIPaddressornameofahost. •Ifyouspecifyahostaddress,youmustuseanIPv4address. Example: Device(config-network-group)# host 209.165.200.237 Step 6 network-address{/nn|network-mask} (Optional)Specifiesasubnetobject. •YoumustspecifyanIPv4addressforthenetworkaddress.The Example: defaultnetworkmaskis255.255.255.255. Device(config-network-group)# 209.165.200.241 255.255.255.224 Step 7 any (Optional)SpecifiesanyhostIPaddressintherange0.0.0.0to 255.255.255.255. Example: Device(config-network-group)# any Step 8 group-objectnested-object-group-name (Optional)Specifiesanested(child)objectgrouptobeincludedin thecurrent(parent)objectgroup. Example: •Thetypeofchildobjectgroupmustmatchthatoftheparent Device(config-network-group)# (forexample,ifyouarecreatinganetworkobjectgroup,you group-object my-nested-object-group mustspecifyanothernetworkobjectgroupasthechild). Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 5 Object Groups for ACLs Creating a Service Object Group Command or Action Purpose •Youcanuseduplicatedobjectsinanobjectgrouponlyvia nestingofgroupobjects.Forexample,ifobject1isinboth groupAandgroupB,youcandefineagroupCthatincludes bothAandB.However,youcannotincludeagroupobjectthat causesthegrouphierarchytobecomecircular(forexample, youcannotincludegroupAingroupBandthenalsoinclude groupBingroupA). •Youcanuseanunlimitednumberoflevelsofnestedobject groups(however,amaximumoftwolevelsisrecommended). Step 9 Repeatthestepsuntilyouhavespecifiedobjects — onwhichyouwanttobaseyourobjectgroup. Step 10 end Exitsnetworkobject-groupconfigurationmodeandreturnsto privilegedEXECmode. Example: Device(config-network-group)# end Creating a Service Object Group UseaserviceobjectgrouptospecifyTCPand/orUDPportsorportranges.Whentheserviceobjectgroup isassociatedwithanaccesscontrollist(ACL),thisserviceobject-group-basedACLcancontrolaccessto ports. SUMMARY STEPS 1. enable 2. configureterminal 3. object-groupserviceobject-group-name 4. descriptiondescription-text 5. protocol 6. {tcp|udp|tcp-udp}[source{{[eq]|lt|gt}port1|rangeport1port2}][{[eq]|lt|gt}port1|range port1port2] 7. icmpicmp-type 8. group-objectnested-object-group-name 9. Repeatthestepstospecifytheobjectsonwhichyouwanttobaseyourobjectgroup. 10. end Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 6 Object Groups for ACLs Creating a Service Object Group DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Device> enable Step 2 configureterminal Entersglobalconfigurationmode. Example: Device# configure terminal Step 3 object-groupserviceobject-group-name Definesanobjectgroupnameandentersserviceobject-group configurationmode. Example: Device(config)# object-group service my-service-object-group Step 4 descriptiondescription-text (Optional)Specifiesadescriptionoftheobjectgroup. •Youcanuseupto200characters. Example: Device(config-service-group)# description test engineers Step 5 protocol (Optional)SpecifiesanIPprotocolnumberorname. Example: Device(config-service-group)# ahp Step 6 {tcp|udp|tcp-udp}[source{{[eq]|lt|gt}port1 (Optional)SpecifiesTCP,UDP,orboth. |rangeport1port2}][{[eq]|lt|gt}port1|range port1port2] Example: Device(config-service-group)# tcp-udp range 2000 2005 Step 7 icmpicmp-type (Optional)SpecifiesthedecimalnumberornameofanInternet ControlMessageProtocol(ICMP)type. Example: Device(config-service-group)# icmp conversion-error Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 7 Object Groups for ACLs Creating an Object-Group-Based ACL Command or Action Purpose Step 8 group-objectnested-object-group-name (Optional)Specifiesanested(child)objectgrouptobeincluded inthecurrent(parent)objectgroup. Example: •Thetypeofchildobjectgroupmustmatchthatoftheparent Device(config-service-group)# group-object (forexample,ifyouarecreatinganetworkobjectgroup,you my-nested-object-group mustspecifyanothernetworkobjectgroupasthechild). •Youcanuseduplicatedobjectsinanobjectgrouponlyvia nestingofgroupobjects.Forexample,ifobject1isinboth groupAandgroupB,youcandefineagroupCthatincludes bothAandB.However,youcannotincludeagroupobject thatcausesthegrouphierarchytobecomecircular(for example,youcannotincludegroupAingroupBandthen alsoincludegroupBingroupA). •Youcanuseanunlimitednumberoflevelsofnestedobject groups(however,amaximumoftwolevelsisrecommended). Step 9 Repeatthestepstospecifytheobjectsonwhich — youwanttobaseyourobjectgroup. Step 10 end Exitsserviceobject-groupconfigurationmodeandreturnsto privilegedEXECmode. Example: Device(config-service-group)# end Creating an Object-Group-Based ACL Whencreatinganobject-group-basedaccesscontrollist(ACL),configureanACLthatreferencesoneormore objectgroups.AswithconventionalACLs,youcanassociatethesameaccesspolicywithoneormore interfaces. Youcandefinemultipleaccesscontrolentries(ACEs)thatreferenceobjectgroupswithinthesame object-group-basedACL.YoucanalsoreuseaspecificobjectgroupinmultipleACEs. Performthistasktocreateanobject-group-basedACL. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 8 Object Groups for ACLs Creating an Object-Group-Based ACL SUMMARY STEPS 1. enable 2. configureterminal 3. ipaccess-listextendedaccess-list-name 4. remarkremark 5. denyprotocolsource[source-wildcard]destination[destination-wildcard][optionoption-name] [precedenceprecedence][tostos][established][log|log-input][time-rangetime-range-name] [fragments] 6. remarkremark 7. permitprotocolsource[source-wildcard]destination[destination-wildcard][optionoption-name] [precedenceprecedence][tostos][established][log|log-input][time-rangetime-range-name] [fragments] 8. Repeatthestepstospecifythefieldsandvaluesonwhichyouwanttobaseyouraccesslist. 9. end DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Device> enable Step 2 configureterminal Entersglobalconfigurationmode. Example: Device# configure terminal Step 3 ipaccess-listextendedaccess-list-name DefinesanextendedIPaccesslistusinganameandentersextended access-listconfigurationmode. Example: Device(config)# ip access-list extended nomarketing Step 4 remarkremark (Optional)Addsacommentabouttheconfiguredaccesslistentry. •Aremarkcanprecedeorfollowanaccesslistentry. Example: •Inthisexample,theremarkremindsthenetworkadministrator Device(config-ext-nacl)# remark protect thatthesubsequententrydeniestheMarketingnetworkaccess server by denying access from the Marketing network totheinterface. Step 5 denyprotocolsource[source-wildcard]destination (Optional)Deniesanypacketthatmatchesallconditionsspecifiedin [destination-wildcard][optionoption-name] thestatement. [precedenceprecedence][tostos][established][log Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 9 Object Groups for ACLs Creating an Object-Group-Based ACL Command or Action Purpose |log-input][time-rangetime-range-name] •Optionallyusetheobject-groupservice-object-group-name [fragments] keywordandargumentasasubstitutefortheprotocol.argument •Optionallyusetheobject-group Example: source-network-object-group-namekeywordandargumentas asubstituteforthesourcesource-wildcard.arguments Device(config-ext-nacl)# deny ip 209.165.200.244 255.255.255.224 host •Optionallyusetheobject-group 209.165.200.245 log destination-network-object-group-namekeywordandargument Example based on object-group: asasubstituteforthedestinationdestination-wildcard.arguments Router(config)#object-group network my_network_object_group •Ifthesource-wildcardordestination-wildcardisomitted,a Router(config-network-group)#209.165.200.224 wildcardmaskof0.0.0.0isassumed,whichmatchesallbitsof 255.255.255.224 Router(config-network-group)#exit thesourceordestinationaddress,respectively. Router(config)#object-group network my_other_network_object_group •Optionallyusetheanykeywordasasubstituteforthesource Router(config-network-group)#host source-wildcardordestinationdestination-wildcardtospecify 209.165.200.245 Router(config-network-group)#exit theaddressandwildcardof0.0.0.0255.255.255.255. Router(config)#ip access-list extended nomarketing •Optionallyusethehostsourcekeywordandargumenttoindicate Router(config-ext-nacl)#deny ip object-group asourceandsourcewildcardofsource0.0.0.0orthehost my_network_object_group object-group my_other_network_object_group log destinationkeywordandargumenttoindicateadestinationand destinationwildcardofdestination0.0.0.0. •Inthisexample,packetsfromallsourcesaredeniedaccessto thedestinationnetwork209.165.200.244.Loggingmessages aboutpacketspermittedordeniedbytheaccesslistaresentto thefacilityconfiguredbytheloggingfacilitycommand(for example,console,terminal,orsyslog).Thatis,anypacketthat matchestheaccesslistwillcauseaninformationallogging messageaboutthepackettobesenttotheconfiguredfacility. Thelevelofmessagesloggedtotheconsoleiscontrolledbythe loggingconsolecommand. • Step 6 remarkremark (Optional)Addsacommentabouttheconfiguredaccesslistentry. •Aremarkcanprecedeorfollowanaccesslistentry. Example: Device(config-ext-nacl)# remark allow TCP from any source to any destination Step 7 permitprotocolsource[source-wildcard]destination Permitsanypacketthatmatchesallconditionsspecifiedinthe [destination-wildcard][optionoption-name] statement. [precedenceprecedence][tostos][established][log •Everyaccesslistneedsatleastonepermitstatement. |log-input][time-rangetime-range-name] [fragments] •Optionallyusetheobject-groupservice-object-group-name keywordandargumentasasubstitutefortheprotocol. Example: •Optionallyusetheobject-group Device(config-ext-nacl)# permit tcp any any source-network-object-group-namekeywordandargumentas asubstituteforthesourcesource-wildcard. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 10

Description:
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S -Object Groups for ACLs.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.