Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • CISCO ASA - Objects

    Загружено:

    jsinghengineer1
    49 просмотров9 страниц
    Objects are reusable components in Cisco ASA configurations that can represent IP addresses, services, and other entities. There are two main types of objects - network objects and service objects. Object groups allow similar objects to be grouped together for easy reference in access control lists and security policies. Common object group types include network, protocol, service, and ICMP type groups. Object groups can be nested to efficiently organize related objects.

    Исходное описание:

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    DOCX, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Objects are reusable components in Cisco ASA configurations that can represent IP addresses, services, and other entities. There are two main types of objects - network objects and service objects. Object groups allow similar objects to be grouped together for easy reference in access control lists and security policies. Common object group types include network, protocol, service, and ICMP type groups. Object groups can be nested to efficiently organize related objects.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате DOCX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    49 просмотров9 страниц

    CISCO ASA - Objects

    Загружено:

    jsinghengineer1
    Objects are reusable components in Cisco ASA configurations that can represent IP addresses, services, and other entities. There are two main types of objects - network objects and service objects. Object groups allow similar objects to be grouped together for easy reference in access control lists and security policies. Common object group types include network, protocol, service, and ICMP type groups. Object groups can be nested to efficiently organize related objects.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате DOCX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 9

    Presents …

    CISCO ASA OBJECTS


    Objects

    Objects are reusable components for use in our configuration. We can define and use them in
    Cisco ASA configurations in the place of IP addresses, services and so on.

    We create objects only once and refers them anywhere in the configuration.

    Objects make it easy to maintain our configurations because we can modify an object in one
    place and have it be reflected in all other places that are referencing it.

    For example, if we are using IP address and subnet mask in multiple features in our configuration
    and we want to modify it then we have to change it every place manually but if we use object of
    same IP address then we would just modify the object definition and change would be reflected
    in very pace where it is referred.

    Types of Objects

    Two types of objects

     Network Object
     Service Object

    Network Object

     A network object can contain a host, a network IP address, a range of IP addresses.


     We can also enable NAT rules on the object.
     Create or edit a network object using the object name: object network <object_name>
    Service Object

     A service object can contain a single protocol specification.


     Create or edit a service object using the object name: object service <object_name>

    OBJECT GROUPS

    Object groups allow us to create groups of related information that we apply to our filtering
    policies, thereby reducing the number of filtering commands that we have to enter.

    Once we have created groups of objects, we can include them in our ACL commands to permit or
    deny packets based on matches in the object groups.

    Advantages of Object Group

     If we need to define a filtering policy that denies telnet traffic from 192.168.10.11 to
    192.168.20.22, we could easily accomplish this with a single ACL command.

    However, if we have a list of ten clients trying to access three servers for both telnet and
    e-mail, the filtering configuration becomes very complex when using ACLs alone.

    So to make this task easy we could use object groups to create a network group for the ten
    clients, a network group for the three servers, and a service group for telnet and e-mail, and then
    use these groupings in a single ACL command.

     We can embed an object group within another object group; this is called nesting.

    For example, we might have two network object groups, and want to create a filter that includes
    both groups. Originally, this would require two ACL statements.
    To solve this problem, we can create a third object group and can include the first two network
    object groups within this new group. Then create a single ACL statement that references the
    object group that includes the nesting of the two specific object groups.

    Types of Object Groups

    We can create the following types of object groups

     Network – Used for grouping of hosts or subnets


     Protocol – Used for grouping of IP protocols, like IP, ICMP, TCP, UDP, or other IP protocols
     Service – Used for group of TCP or UDP applications
     ICMP type – Used for grouping of ICMP messages
     Security – Used in features that support Cisco TrustSec architecture
     User - Used in features that support the identity firewall

    Network Object Groups


    We can create a group of network objects that specify host addresses or subnets and use this
    network object group in our ACL commands.

    ciscoasa(config)# object-group network group_ID


    ciscoasa(config-network)# network-object host host_address
    ciscoasa(config-network)# network-object network_address subnet_mask

    hostname (config)# object-group network admins


    hostname (config-network)# description Administrator Addresses
    hostname (config-network)# network-object host 10.1.1.4
    hostname (config-network)# network-object host 10.1.1.78
    hostname (config-network )# network-object host 10.1.1.34

    Protocol Object Groups


    We can create a group of IP protocols like TCP, UDP or ICMP and use this group in our ACL
    commands.

    ciscoasa(config)# object-group protocol group_ID


    ciscoasa(config-protocol)# protocol-object protocol_name_or_number
    hostname (config)# object-group protocol tcp_udp_icmp
    hostname (config-protocol)# protocol-object tcp
    hostname (config-protocol)# protocol-object udp
    hostname (config-protocol)# protocol-object icmp

    Service Object Groups

    We can create a group of TCP and UDP applications or ports and use this group in our ACL
    statements.

    ciscoasa(config)# object-group service group_ID {tcp | udp | tcp-udp}


    ciscoasa(config-service)# port-object eq port_name_or_number
    ciscoasa(config-service)# port-object range first_port last_port

    hostname (config)# object-group service services1 tcp-udp


    hostname (config-service)# description DNS Group
    hostname (config-service)# port-object eq domain
    hostname (config)# object-group service services2 udp
    hostname (config-service)# description RADIUS Group
    hostname (config-service)# port-object eq radius
    hostname (config-service)# port-object eq radius-acct
    hostname (config)# object-group service services3 tcp
    hostname (config-service)# description LDAP Group
    hostname (config-service)# port-object eq ldap

    ICMP Object Groups


    We can create an object group for ICMP messages and use this group in your ACL statements.

    ciscoasa(config)# object-group icmp-type group_ID


    ciscoasa(config-icmp-type)# icmp-object ICMP_message

    hostname (config)# object-group icmp-type ping


    hostname (config-service)# description Ping Group
    hostname (config-service)# icmp-object echo
    hostname (config-service)# icmp-object echo-reply

    Security Group Object Groups


    We can create security group object groups for use in features that support Cisco TrustSec
    Architecture by including the group in an extended ACL, which in turn can be used in an access rule.

    When integrated with Cisco TrustSec, the ASA downloads security group information from the ISE
    (Identity Services Engine).

    ciscoasa(config)# object-group security group_ID


    ciscoasa(config)# security-group name <name>

    hostname(config)# object-group security mktg-sg


    hostname(config-security-object-group)# security-group tag 1
    hostname(config-security-object-group)# security-group name mgkt

    *Security group names are created on the ISE.


    *Tag is a number from 1 to 65533 and is assigned to a device by ISE.

    User Group Object Groups


    We can create local user groups for use in features that support the identity firewall by including the
    group in an extended ACL, which in turn can be used in an access rule.

    The Identity Firewall in the ASA provides access control based on user’s identities. We can configure
    access rules and security policies based on user names and user group names rather than through
    source IP addresses. The Identity Firewall integrates with Microsoft Active Directory in conjunction
    with an external Active Directory (AD) Agent.

    ciscoasa(config)#object-group user group_ID

    hostname(config)# object-group user admins


    hostname(config-user-object-group)# user EXAMPLE\admin
    hostname(config-user-object-group)# user-group EXAMPLE\\managers

    Object Group Nesting


    We can embed an object group within another object group.

    hostname (config)# object-group network eng


    hostname (config-network)# network-object host 10.1.1.5
    hostname (config-network)# network-object host 10.1.1.9
    hostname (config-network)# network-object host 10.1.1.89

    hostname (config)# object-group network hr


    hostname (config-network)# network-object host 10.1.2.8
    hostname (config-network)# network-object host 10.1.2.12

    hostname (config)# object-group network finance


    hostname (config-network)# network-object host 10.1.4.89
    hostname (config-network)# network-object host 10.1.4.100

    We then nest all three groups together as follows:

    hostname (config)# object-group network admin


    hostname (config-network)# group-object eng
    hostname (config-network)# group-object hr
    hostname (config-network)# group-object finance
    Examining Your Object Groups

    ciscoasa# show run object-group [protocol | network | service | icmp-type]


    ciscoasa# show run object-group

    ciscoasa# show run object-group id <group_ID >

    Deleting Object Groups

    To remove all object groups on your appliance

    ciscoasa(config)# clear configure object-group [protocol | network |services | icmp-type]


    ciscoasa(config)# clear configure object-group

    To remove a specific object group:

    ciscoasa(config)# no object-group <type> <group_ID>

    Note: We cannot remove an object group or make an object group empty if it is used in an access
    list.
    inspectingfirewalls@gmail.com

    https://www.facebook.com/groups/inspectingfirewalls

    Вам также может понравиться