Object Groups for ACLs TheObjectGroupsforACLsfeatureletsyouclassifyusers,devices,orprotocolsintogroupsandapply thesegroupstoaccesscontrollists(ACLs)tocreateaccesscontrolpoliciesforthesegroups.Thisfeature letsyouuseobjectgroupsinsteadofindividualIPaddresses,protocols,andports,whichareusedin conventionalACLs.Thisfeatureallowsmultipleaccesscontrolentries(ACEs).YoucanuseeachACEto allowanentiregroupofuserstoaccessagroupofserversorservicesortodenythemaccess;therebyreducing thesizeofanACLandimprovingmanageability. Thismoduledescribesobject-groupACLswithzone-basedpolicyfirewallsandhowtoconfigurethemfor zone-basedfirewalls. • FindingFeatureInformation, page 1 • RestrictionsforObjectGroupsforACLs, page 1 • InformationAboutObjectGroupsforACLs, page 2 • HowtoConfigureObjectGroupsforACLs, page 4 • ConfigurationExamplesforObjectGroupsforACLs, page 16 • AdditionalReferencesforObjectGroupsforACLs, page 18 • FeatureInformationforObjectGroupsforACLs, page 19 Finding Feature Information Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveatsand featureinformation,seeBugSearchToolandthereleasenotesforyourplatformandsoftwarerelease.To findinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheach featureissupported,seethefeatureinformationtable. UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport. ToaccessCiscoFeatureNavigator,gotowww.cisco.com/go/cfn.AnaccountonCisco.comisnotrequired. Restrictions for Object Groups for ACLs ThefollowingrestrictionsapplytotheObjectGroupsforACLsfeatureonzone-basedfirewalls: Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 1 Object Groups for ACLs Information About Object Groups for ACLs •IPv6isnotsupported. •Dynamicandper-useraccesscontrollists(ACLs)arenotsupported. •YoucannotremoveanobjectgroupormakeanobjectgroupemptyifitisusedinanACL. •ACLstatementsusingobjectgroupswillbeignoredonpacketsthataresenttoRPforprocessing. •ObjectgroupsaresupportedonlyforIPextendedACLs. Information About Object Groups for ACLs Overview of Object Groups for ACLs Inlargenetworks,thenumberoflinesinanaccesscontrollist(ACL)canbelarge(hundredsoflines)and difficulttoconfigureandmanage,especiallyiftheACLsfrequentlychange.Objectgroup-basedACLsare smaller,morereadable,andeasiertoconfigureandmanage.Object-group-basedACLssimplifystaticACL deploymentsforlargeuseraccessenvironmentsonCiscoIOSrouters.Thezone-basedfirewallbenefitsfrom objectgroups,becauseobjectgroupssimplifypolicycreation(forexample,groupAhasaccesstogroupA services). Youcanconfigureconventionalaccesscontrolentries(ACEs)andACEsthatrefertoobjectgroupsinthe sameACL.Youcanuseobject-group-basedACLswithqualityofservice(QoS)matchcriteria,zone-based policyfirewall,DynamicHostConfigurationProtocol(DHCP),andanyotherfeaturesthatuseextended ACLs. Inaddition,youcanuseobject-group-basedACLswithmulticasttraffic.Whentherearemanyinboundand outboundpackets,usingobjectgroup-basedACLsincreasesperformancecomparedtoconventionalACLs. Also,inlargeconfigurations,thisfeaturereducesthestoragerequiredinNVRAM,becauseyouneednot defineanindividualACEforeveryaddressandprotocolpairing. Integration of Zone-Based Firewalls with Object Groups Zone-basedfirewallsuseobject-groupaccesscontrollists(ACLs)toapplypoliciestospecifictraffic.You defineanobject-groupACL,associateitwithazone-basedfirewallpolicy,andapplythepolicytoazone pairtoinspectthetraffic. InCiscoIOSXERelease3.12S,onlyexpandedobject-groupACLsaresupportedwithfirewalls. Thefollowingfeaturesworkwithobjectgroupsthatareconfiguredonafirewall: •Staticanddynamicnetworkaddresstranslation(NAT) •ServiceNAT(NATthatsupportsnon-standardFTPportnumbersconfiguredbytheipnatservice command) •FTPapplicationlayergateway(ALG) •SessionInitiationProtocol(SIP)ALG Inaclassmap,youcanconfigureamaximumof64matchingstatementsusingthematchaccess-group command. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 2 Object Groups for ACLs Objects Allowed in Network Object Groups Objects Allowed in Network Object Groups Anetworkobjectgroupisagroupofanyofthefollowingobjects: •AnyIPaddress—includesarangefrom0.0.0.0to255.255.255.255(Thisisspecifiedusingtheany command.) •HostIPaddresses •Hostnames •Othernetworkobjectgroups •Subnets •HostIPaddresses •Networkaddressofgroupmembers •Nestedobjectgroups Objects Allowed in Service Object Groups Aserviceobjectgroupisagroupofanyofthefollowingobjects: •Sourceanddestinationprotocolports(suchasTelnetorSimpleNetworkManagementProtocol[SNMP]) •InternetControlMessageProtocol(ICMP)types(suchasecho,echo-reply,orhost-unreachable) •Top-levelprotocols(suchasEncapsulatingSecurityPayload[ESP],TCP,orUDP) •Otherserviceobjectgroups ACLs Based on Object Groups Allfeaturesthatuseorreferenceconventionalaccesscontrollists(ACLs)arecompatiblewith object-group-basedACLs,andthefeatureinteractionsforconventionalACLsarethesamewith object-group-basedACLs.ThisfeatureextendstheconventionalACLstosupportobject-group-basedACLs andalsoaddsnewkeywordsandthesourceanddestinationaddressesandports. Youcanapplyobject-group-basedACLstointerfacesthatareconfiguredinaVPNroutingandforwarding (VRF)instanceorfeaturesthatareusedwithinaVRFcontext. Youcanadd,delete,orchangeobjectsinanobjectgroupmembershiplistdynamically(withoutdeletingand redefiningtheobjectgroup).Also,youcanadd,delete,orchangeobjectsinanobjectgroupmembershiplist withoutredefiningtheACLaccesscontrolentry(ACE)thatusestheobjectgroup.Youcanaddobjectsto groups,deletethemfromgroups,andthenensurethatchangesarecorrectlyfunctioningwithinthe object-group-basedACLwithoutreapplyingtheACLtotheinterface. Youcanconfigureanobject-group-basedACLmultipletimeswithasourcegrouponly,adestinationgroup only,orbothsourceanddestinationgroups. YoucannotdeleteanobjectgroupthatisusedwithinanACLoraclass-basedpolicylanguage(CPL)policy. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 3 Object Groups for ACLs Guidelines for Object Group ACLs Guidelines for Object Group ACLs •Objectgroupsmusthaveuniquenames.Forexample,tocreateanetworkobjectgroupnamed “Engineering”andaserviceobjectgroupnamed“Engineering,”youmustaddanidentifier(ortag)toat leastoneobjectgroupnametomakeitunique.Forexample,youcanusethenames“Engineering-admins” and“Engineering-hosts”tomaketheobjectgroupnamesuniqueandtomakeiteasierforidentification. •Additionalobjectscanbeaddedtoanexistingobjectgroup.Afteraddinganobjectgroup,youcanadd moreobjectsasrequiredforthesamegroupname.Youdonotneedtoreenterexistingobjects;the previousconfigurationremainsinplaceuntiltheobjectgroupisremoved. •Differentobjectscanbegroupedtogether.Forexample,objectssuchashosts,protocols,orservicescan begroupedtogetherandconfiguredunderthesamegroupname.Networkobjectscanbedefinedonly underanetworkgroup,andserviceobjectscanbedefinedonlyunderaservicegroup. •Whenyoudefineagroupwiththeobject-groupcommandanduseanysecurityappliancecommand, thecommandappliestoeveryiteminthatgroup.Thisfeaturecansignificantlyreduceyourconfiguration size. How to Configure Object Groups for ACLs ToconfigureobjectgroupsforACLs,youfirstcreateoneormoreobjectgroups.Thesecanbeanycombination ofnetworkobjectgroups(groupsthatcontainobjectssuchas,hostaddressesandnetworkaddresses)orservice objectgroups(whichuseoperatorssuchaslt,eq,gt,neq,andrangewithportnumbers).Then,youcreate accesscontrolentries(ACEs)thatapplyapolicy(suchaspermitordeny)tothoseobjectgroups. Creating a Network Object Group Anetworkobjectgroupthatcontainsasingleobject(suchasasingleIPaddress,ahostname,anothernetwork objectgroup,orasubnet)ornestedobjects(multiplenetworkobjectgroupscanbedefinedinsinglenetwork objectgroup),iswithanetworkobject-group-basedACLtocreateaccesscontrolpoliciesfortheobjects. Performthistasktocreateanetworkobjectgroup. SUMMARY STEPS 1. enable 2. configureterminal 3. object-groupnetworkobject-group-name 4. descriptiondescription-text 5. host{host-address|host-name} 6. network-address{/nn|network-mask} 7. any 8. group-objectnested-object-group-name 9. Repeatthestepsuntilyouhavespecifiedobjectsonwhichyouwanttobaseyourobjectgroup. 10. end Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 4 Object Groups for ACLs Creating a Network Object Group DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Device> enable Step 2 configureterminal Entersglobalconfigurationmode. Example: Device# configure terminal Step 3 object-groupnetworkobject-group-name Definestheobjectgroupnameandentersnetworkobject-group configurationmode. Example: Device(config)# object-group network my-network-object-group Step 4 descriptiondescription-text (Optional)Specifiesadescriptionoftheobjectgroup. •Youcanuseupto200characters. Example: Device(config-network-group)# description test engineers Step 5 host{host-address|host-name} (Optional)SpecifiestheIPaddressornameofahost. •Ifyouspecifyahostaddress,youmustuseanIPv4address. Example: Device(config-network-group)# host 209.165.200.237 Step 6 network-address{/nn|network-mask} (Optional)Specifiesasubnetobject. •YoumustspecifyanIPv4addressforthenetworkaddress.The Example: defaultnetworkmaskis255.255.255.255. Device(config-network-group)# 209.165.200.241 255.255.255.224 Step 7 any (Optional)SpecifiesanyhostIPaddressintherange0.0.0.0to 255.255.255.255. Example: Device(config-network-group)# any Step 8 group-objectnested-object-group-name (Optional)Specifiesanested(child)objectgrouptobeincludedin thecurrent(parent)objectgroup. Example: •Thetypeofchildobjectgroupmustmatchthatoftheparent Device(config-network-group)# (forexample,ifyouarecreatinganetworkobjectgroup,you group-object my-nested-object-group mustspecifyanothernetworkobjectgroupasthechild). Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 5 Object Groups for ACLs Creating a Service Object Group Command or Action Purpose •Youcanuseduplicatedobjectsinanobjectgrouponlyvia nestingofgroupobjects.Forexample,ifobject1isinboth groupAandgroupB,youcandefineagroupCthatincludes bothAandB.However,youcannotincludeagroupobjectthat causesthegrouphierarchytobecomecircular(forexample, youcannotincludegroupAingroupBandthenalsoinclude groupBingroupA). •Youcanuseanunlimitednumberoflevelsofnestedobject groups(however,amaximumoftwolevelsisrecommended). Step 9 Repeatthestepsuntilyouhavespecifiedobjects — onwhichyouwanttobaseyourobjectgroup. Step 10 end Exitsnetworkobject-groupconfigurationmodeandreturnsto privilegedEXECmode. Example: Device(config-network-group)# end Creating a Service Object Group UseaserviceobjectgrouptospecifyTCPand/orUDPportsorportranges.Whentheserviceobjectgroup isassociatedwithanaccesscontrollist(ACL),thisserviceobject-group-basedACLcancontrolaccessto ports. SUMMARY STEPS 1. enable 2. configureterminal 3. object-groupserviceobject-group-name 4. descriptiondescription-text 5. protocol 6. {tcp|udp|tcp-udp}[source{{[eq]|lt|gt}port1|rangeport1port2}][{[eq]|lt|gt}port1|range port1port2] 7. icmpicmp-type 8. group-objectnested-object-group-name 9. Repeatthestepstospecifytheobjectsonwhichyouwanttobaseyourobjectgroup. 10. end Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 6 Object Groups for ACLs Creating a Service Object Group DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Device> enable Step 2 configureterminal Entersglobalconfigurationmode. Example: Device# configure terminal Step 3 object-groupserviceobject-group-name Definesanobjectgroupnameandentersserviceobject-group configurationmode. Example: Device(config)# object-group service my-service-object-group Step 4 descriptiondescription-text (Optional)Specifiesadescriptionoftheobjectgroup. •Youcanuseupto200characters. Example: Device(config-service-group)# description test engineers Step 5 protocol (Optional)SpecifiesanIPprotocolnumberorname. Example: Device(config-service-group)# ahp Step 6 {tcp|udp|tcp-udp}[source{{[eq]|lt|gt}port1 (Optional)SpecifiesTCP,UDP,orboth. |rangeport1port2}][{[eq]|lt|gt}port1|range port1port2] Example: Device(config-service-group)# tcp-udp range 2000 2005 Step 7 icmpicmp-type (Optional)SpecifiesthedecimalnumberornameofanInternet ControlMessageProtocol(ICMP)type. Example: Device(config-service-group)# icmp conversion-error Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 7 Object Groups for ACLs Creating an Object-Group-Based ACL Command or Action Purpose Step 8 group-objectnested-object-group-name (Optional)Specifiesanested(child)objectgrouptobeincluded inthecurrent(parent)objectgroup. Example: •Thetypeofchildobjectgroupmustmatchthatoftheparent Device(config-service-group)# group-object (forexample,ifyouarecreatinganetworkobjectgroup,you my-nested-object-group mustspecifyanothernetworkobjectgroupasthechild). •Youcanuseduplicatedobjectsinanobjectgrouponlyvia nestingofgroupobjects.Forexample,ifobject1isinboth groupAandgroupB,youcandefineagroupCthatincludes bothAandB.However,youcannotincludeagroupobject thatcausesthegrouphierarchytobecomecircular(for example,youcannotincludegroupAingroupBandthen alsoincludegroupBingroupA). •Youcanuseanunlimitednumberoflevelsofnestedobject groups(however,amaximumoftwolevelsisrecommended). Step 9 Repeatthestepstospecifytheobjectsonwhich — youwanttobaseyourobjectgroup. Step 10 end Exitsserviceobject-groupconfigurationmodeandreturnsto privilegedEXECmode. Example: Device(config-service-group)# end Creating an Object-Group-Based ACL Whencreatinganobject-group-basedaccesscontrollist(ACL),configureanACLthatreferencesoneormore objectgroups.AswithconventionalACLs,youcanassociatethesameaccesspolicywithoneormore interfaces. Youcandefinemultipleaccesscontrolentries(ACEs)thatreferenceobjectgroupswithinthesame object-group-basedACL.YoucanalsoreuseaspecificobjectgroupinmultipleACEs. Performthistasktocreateanobject-group-basedACL. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 8 Object Groups for ACLs Creating an Object-Group-Based ACL SUMMARY STEPS 1. enable 2. configureterminal 3. ipaccess-listextendedaccess-list-name 4. remarkremark 5. denyprotocolsource[source-wildcard]destination[destination-wildcard][optionoption-name] [precedenceprecedence][tostos][established][log|log-input][time-rangetime-range-name] [fragments] 6. remarkremark 7. permitprotocolsource[source-wildcard]destination[destination-wildcard][optionoption-name] [precedenceprecedence][tostos][established][log|log-input][time-rangetime-range-name] [fragments] 8. Repeatthestepstospecifythefieldsandvaluesonwhichyouwanttobaseyouraccesslist. 9. end DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Device> enable Step 2 configureterminal Entersglobalconfigurationmode. Example: Device# configure terminal Step 3 ipaccess-listextendedaccess-list-name DefinesanextendedIPaccesslistusinganameandentersextended access-listconfigurationmode. Example: Device(config)# ip access-list extended nomarketing Step 4 remarkremark (Optional)Addsacommentabouttheconfiguredaccesslistentry. •Aremarkcanprecedeorfollowanaccesslistentry. Example: •Inthisexample,theremarkremindsthenetworkadministrator Device(config-ext-nacl)# remark protect thatthesubsequententrydeniestheMarketingnetworkaccess server by denying access from the Marketing network totheinterface. Step 5 denyprotocolsource[source-wildcard]destination (Optional)Deniesanypacketthatmatchesallconditionsspecifiedin [destination-wildcard][optionoption-name] thestatement. [precedenceprecedence][tostos][established][log Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 9 Object Groups for ACLs Creating an Object-Group-Based ACL Command or Action Purpose |log-input][time-rangetime-range-name] •Optionallyusetheobject-groupservice-object-group-name [fragments] keywordandargumentasasubstitutefortheprotocol.argument •Optionallyusetheobject-group Example: source-network-object-group-namekeywordandargumentas asubstituteforthesourcesource-wildcard.arguments Device(config-ext-nacl)# deny ip 209.165.200.244 255.255.255.224 host •Optionallyusetheobject-group 209.165.200.245 log destination-network-object-group-namekeywordandargument Example based on object-group: asasubstituteforthedestinationdestination-wildcard.arguments Router(config)#object-group network my_network_object_group •Ifthesource-wildcardordestination-wildcardisomitted,a Router(config-network-group)#209.165.200.224 wildcardmaskof0.0.0.0isassumed,whichmatchesallbitsof 255.255.255.224 Router(config-network-group)#exit thesourceordestinationaddress,respectively. Router(config)#object-group network my_other_network_object_group •Optionallyusetheanykeywordasasubstituteforthesource Router(config-network-group)#host source-wildcardordestinationdestination-wildcardtospecify 209.165.200.245 Router(config-network-group)#exit theaddressandwildcardof0.0.0.0255.255.255.255. Router(config)#ip access-list extended nomarketing •Optionallyusethehostsourcekeywordandargumenttoindicate Router(config-ext-nacl)#deny ip object-group asourceandsourcewildcardofsource0.0.0.0orthehost my_network_object_group object-group my_other_network_object_group log destinationkeywordandargumenttoindicateadestinationand destinationwildcardofdestination0.0.0.0. •Inthisexample,packetsfromallsourcesaredeniedaccessto thedestinationnetwork209.165.200.244.Loggingmessages aboutpacketspermittedordeniedbytheaccesslistaresentto thefacilityconfiguredbytheloggingfacilitycommand(for example,console,terminal,orsyslog).Thatis,anypacketthat matchestheaccesslistwillcauseaninformationallogging messageaboutthepackettobesenttotheconfiguredfacility. Thelevelofmessagesloggedtotheconsoleiscontrolledbythe loggingconsolecommand. • Step 6 remarkremark (Optional)Addsacommentabouttheconfiguredaccesslistentry. •Aremarkcanprecedeorfollowanaccesslistentry. Example: Device(config-ext-nacl)# remark allow TCP from any source to any destination Step 7 permitprotocolsource[source-wildcard]destination Permitsanypacketthatmatchesallconditionsspecifiedinthe [destination-wildcard][optionoption-name] statement. [precedenceprecedence][tostos][established][log •Everyaccesslistneedsatleastonepermitstatement. |log-input][time-rangetime-range-name] [fragments] •Optionallyusetheobject-groupservice-object-group-name keywordandargumentasasubstitutefortheprotocol. Example: •Optionallyusetheobject-group Device(config-ext-nacl)# permit tcp any any source-network-object-group-namekeywordandargumentas asubstituteforthesourcesource-wildcard. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 10
Description: