Using Object Groups With An Access Control List - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
Simplifying Access Control Lists with Object Grouping
FWSM/contexta(config-network)# group-object eng
FWSM/contexta(config-network)# group-object hr
FWSM/contexta(config-network)# group-object finance
You only need to specify the admin object group in your ACE as follows:
FWSM/contexta(config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29
Using Object Groups with an Access Control List
To use object groups in an ACL, replace the normal protocol (protocol), network (source_address mask,
etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command,
enter the following command:
FWSM(config)# access-list acl_name [extended] {deny | permit} {tcp | udp} object-group
nw_grp_id [object-group svc_grp_id ] object-group nw_grp_id [object-group svc_grp_id ]
[log [[ level ] [interval secs ] | disable | default]]
You do not have to use object groups for all parameters; for example, you can use an object group for
the source address, but identify the destination address with an address and mask.
The following normal ACL that does not use object groups restricts several hosts on the inside network
from accessing several web servers. All other traffic is allowed.
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host
209.165.201.29 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host
209.165.201.29 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host
209.165.201.29 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host
209.165.201.16 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host
209.165.201.16 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host
209.165.201.16 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host
209.165.201.78 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host
209.165.201.78 eq www
FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host
209.165.201.78 eq www
FWSM/contexta(config)# access-list ACL_IN extended permit ip any any
FWSM/contexta(config)# access-group ACL_IN in interface inside
If you make two network object groups, one for the inside hosts, and one for the web servers, then the
configuration can be simplified and can be easily modified to add more hosts:
FWSM/contexta(config)# object-group network denied
FWSM/contexta(config-network)# network-object host 10.1.1.4
FWSM/contexta(config-network)# network-object host 10.1.1.78
FWSM/contexta(config-network)# network-object host 10.1.1.89
FWSM/contexta(config-network)# object-group network web
FWSM/contexta(config-network)# network-object host 209.165.201.29
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-23
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
