- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Restrictions for Object Groups for ACLs
- Information About Object Groups for ACLs
- How to Configure Object Groups for ACLs
- Configuration Examples for Object Groups for ACLs
- Example: Creating a Network Object Group
- Example: Creating a Service Object Group
- Example: Creating an Object Group-Based ACL
- Example: Configuring Class Maps and Policy Maps for Object Groups
- Example: Configuring Zones for Object Groups
- Example: Applying Policy Maps to Zone Pairs for Object Groups
- Example: Verifying Object Groups for ACLs
- Additional References for Object Groups for ACLs
- Feature Information for Object Groups for ACLs
Object Groups for ACLs
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply these groups to access control lists (ACLs) to create access control policies for these groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs). You can use each ACE to allow an entire group of users to access a group of servers or services or to deny them access; thereby reducing the size of an ACL and improving manageability.
This module describes object-group ACLs with zone-based policy firewalls and how to configure them for zone-based firewalls.
- Finding Feature Information
- Restrictions for Object Groups for ACLs
- Information About Object Groups for ACLs
- How to Configure Object Groups for ACLs
- Configuration Examples for Object Groups for ACLs
- Additional References for Object Groups for ACLs
- Feature Information for Object Groups for ACLs
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Object Groups for ACLs
IPv6 is not supported.
- Dynamic and per-user access control lists (ACLs) are not supported.
- You cannot remove an object group or make an object group empty if it is used in an ACL.
-
ACL statements using object groups will be ignored on packets that are sent to RP for processing.
- Object groups are supported only for IP extended ACLs.
Information About Object Groups for ACLs
Overview of Object Groups for ACLs
In large networks, the number of lines in an access control list (ACL) can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage. Object-group-based ACLs simplify static ACL deployments for large user access environments on Cisco IOS routers. The zone-based firewall benefits from object groups, because object groups simplify policy creation (for example, group A has access to group A services).
You can configure conventional access control entries (ACEs) and ACEs that refer to object groups in the same ACL. You can use object-group-based ACLs with quality of service (QoS) match criteria, zone-based policy firewall, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs.
In addition, you can use object-group-based ACLs with multicast traffic. When there are many inbound and outbound packets, using object group-based ACLs increases performance compared to conventional ACLs. Also, in large configurations, this feature reduces the storage required in NVRAM, because you need not define an individual ACE for every address and protocol pairing.
Integration of Zone-Based Firewalls with Object Groups
Zone-based firewalls use object-group access control lists (ACLs) to apply policies to specific traffic. You define an object-group ACL, associate it with a zone-based firewall policy, and apply the policy to a zone pair to inspect the traffic.
In Cisco IOS XE Release 3.12S, only expanded object-group ACLs are supported with firewalls.
In a class map, you can configure a maximum of 64 matching statements using the match access-group command.
Objects Allowed in Network Object Groups
A network object group is a group of any of the following objects:
Objects Allowed in Service Object Groups
A service object group is a group of any of the following objects:
Source and destination protocol ports (such as Telnet or Simple Network Management Protocol [SNMP])
Internet Control Message Protocol (ICMP) types (such as echo, echo-reply, or host-unreachable)
Top-level protocols (such as Encapsulating Security Payload [ESP], TCP, or UDP)
Other service object groups
ACLs Based on Object Groups
All features that use or reference conventional access control lists (ACLs) are compatible with object-group-based ACLs, and the feature interactions for conventional ACLs are the same with object-group-based ACLs. This feature extends the conventional ACLs to support object-group-based ACLs and also adds new keywords and the source and destination addresses and ports.
You can apply object-group-based ACLs to interfaces that are configured in a VPN routing and forwarding (VRF) instance or features that are used within a VRF context.
You can add, delete, or change objects in an object group membership list dynamically (without deleting and redefining the object group). Also, you can add, delete, or change objects in an object group membership list without redefining the ACL access control entry (ACE) that uses the object group. You can add objects to groups, delete them from groups, and then ensure that changes are correctly functioning within the object-group-based ACL without reapplying the ACL to the interface.
You can configure an object-group-based ACL multiple times with a source group only, a destination group only, or both source and destination groups.
You cannot delete an object group that is used within an ACL or a class-based policy language (CPL) policy.
Guidelines for Object Group ACLs
Object groups must have unique names. For example, to create a network object group named “Engineering” and a service object group named “Engineering,” you must add an identifier (or tag) to at least one object group name to make it unique. For example, you can use the names “Engineering-admins” and “Engineering-hosts” to make the object group names unique and to make it easier for identification.
Additional objects can be added to an existing object group. After adding an object group, you can add more objects as required for the same group name. You do not need to reenter existing objects; the previous configuration remains in place until the object group is removed.
Different objects can be grouped together. For example, objects such as hosts, protocols, or services can be grouped together and configured under the same group name. Network objects can be defined only under a network group, and service objects can be defined only under a service group.
When you define a group with the object-group command and use any security appliance command, the command applies to every item in that group. This feature can significantly reduce your configuration size.
How to Configure Object Groups for ACLs
To configure object groups for ACLs, you first create one or more object groups. These can be any combination of network object groups (groups that contain objects such as, host addresses and network addresses) or service object groups (which use operators such as lt, eq, gt, neq, and range with port numbers). Then, you create access control entries (ACEs) that apply a policy (such as permit or deny) to those object groups.
- Creating a Network Object Group
- Creating a Service Object Group
- Creating an Object-Group-Based ACL
- Configuring Class Maps and Policy Maps for Object Groups
- Configuring Zones for Object Groups
- Applying Policy Maps to Zone Pairs for Object Groups
- Verifying Object Groups for ACLs
Creating a Network Object Group
A network object group that contains a single object (such as a single IP address, a hostname, another network object group, or a subnet) or nested objects (multiple network object groups can be defined in single network object group), is with a network object-group-based ACL to create access control policies for the objects.
Perform this task to create a network object group.
1.
enable
2.
configure
terminal
3.
object-group
network
object-group-name
4.
description
description-text
5.
host
{host-address |
host-name}
6.
network-address
{/nn |
network-mask}
7.
any
8.
group-object
nested-object-group-name
9. Repeat the steps until you have specified objects on which you want to base your object group.
10.
end
DETAILED STEPS
Creating a Service Object Group
Use a service object group to specify TCP and/or UDP ports or port ranges. When the service object group is associated with an access control list (ACL), this service object-group-based ACL can control access to ports.
1.
enable
2.
configure
terminal
3.
object-group
service
object-group-name
4.
description
description-text
5.
protocol
6.
{tcp | udp | tcp-udp} [source {{[eq] | lt | gt} port1 | range port1 port2}] [{[eq] | lt | gt} port1 | range port1 port2]
7.
icmp
icmp-type
8.
group-object
nested-object-group-name
9. Repeat the steps to specify the objects on which you want to base your object group.
10.
end
DETAILED STEPS
Creating an Object-Group-Based ACL
When creating an object-group-based access control list (ACL), configure an ACL that references one or more object groups. As with conventional ACLs, you can associate the same access policy with one or more interfaces.
You can define multiple access control entries (ACEs) that reference object groups within the same object-group-based ACL. You can also reuse a specific object group in multiple ACEs.
Perform this task to create an object-group-based ACL.
1.
enable
2.
configure
terminal
3.
ip
access-list
extended
access-list-name
4.
remark
remark
5.
deny
protocol
source [source-wildcard]
destination
[destination-wildcard] [option
option-name]
[precedence
precedence]
[tos
tos] [established] [log |
log-input]
[time-range
time-range-name] [fragments]
6.
remark
remark
7.
permit
protocol
source [source-wildcard]
destination
[destination-wildcard] [option
option-name]
[precedence
precedence]
[tos
tos] [established] [log |
log-input]
[time-range
time-range-name] [fragments]
8. Repeat the steps to specify the fields and values on which you want to base your access list.
9.
end
DETAILED STEPS
Configuring Class Maps and Policy Maps for Object Groups
1.
enable
2.
configure terminal
3.
class-map type inspect match-all class-map-name
4.
match access-group name access-list-name
5.
exit
6.
policy-map type inspect policy-map-name
7.
class type inspect class-map-name
8.
pass
9.
exit
10.
class class-default
11.
drop
12.
end
DETAILED STEPS
Configuring Zones for Object Groups
1.
enable
2.
configure terminal
3.
zone security zone-name
4.
exit
5.
zone security zone-name
6.
exit
7.
interface type number
8.
zone-member security zone-name
9.
end
DETAILED STEPS
Applying Policy Maps to Zone Pairs for Object Groups
1.
enable
2.
configure terminal
3.
zone-pair security zone-pair-name source {zone-name | default | self} destination {zone-name | default | self}
4.
service-policy type inspect policy-map-name
5.
end
DETAILED STEPS
Verifying Object Groups for ACLs
1.
enable
2.
show
object-group [object-group-name]
3.
show
ip
access-list [access-list-name]
DETAILED STEPS
Configuration Examples for Object Groups for ACLs
- Example: Creating a Network Object Group
- Example: Creating a Service Object Group
- Example: Creating an Object Group-Based ACL
- Example: Configuring Class Maps and Policy Maps for Object Groups
- Example: Configuring Zones for Object Groups
- Example: Applying Policy Maps to Zone Pairs for Object Groups
- Example: Verifying Object Groups for ACLs
Example: Creating a Network Object Group
The following example shows how to create a network object group named my-network-object-group, which contains two hosts a range of IP addresses, and a subnet as objects:
Device> enable Device# configure terminal Device(config)# object-group network my-network-object-group Device(config-network-group)# description test engineers Device(config-network-group)# host 209.165.200.237 Device(config-network-group)# host 209.165.200.238 Device(config-network-group)# 209.165.200.241 255.255.255.224 Device(config-network-group)# end
The following example shows how to create a network object group named my-company-network, which contains two hosts, a subnet, and an existing object group (child) named my-nested-object-group as objects:
Device> enable Device# configure terminal Device(config)# object-group network my-company-network Device(config-network-group)# host host1 Device(config-network-group)# host 209.165.200.242 Device(config-network-group)# 209.165.200.225 255.255.255.224 Device(config-network-group)# group-object my-nested-object-group Device(config-network-group)# end
Example: Creating a Service Object Group
The following example shows how to create a service object group named my-service-object-group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group named my-nested-object-group as objects:
Device> enable Device# configure terminal Device(config)# object-group service my-service-object-group Device(config-service-group)# icmp echo Device(config-service-group)# tcp smtp Device(config-service-group)# tcp telnet Device(config-service-group)# tcp source range 1 65535 telnet Device(config-service-group)# tcp source 2000 ftp Device(config-service-group)# udp domain Device(config-service-group)# tcp-udp range 2000 2005 Device(config-service-group)# group-object my-nested-object-group Device(config-service-group)# end
Example: Creating an Object Group-Based ACL
The following example shows how to create an object-group-based ACL that permits packets from the users in my-network-object-group if the protocol ports match the ports specified in my-service-object-group:
Device> enable Device# configure terminal Device(config)# ip access-list extended my-ogacl-policy Device(config-ext-nacl)# permit object-group my-service-object-group object-group my-network-object-group any Device(config-ext-nacl)# deny tcp any any Device(config-ext-nacl)# end
Example: Configuring Class Maps and Policy Maps for Object Groups
Device# configure terminal Device(config)# class-map type inspect match-all ogacl-cmap Device(config-cmap)# match access-group name my-ogacl-policy Device(config-cmap)# exit Device(config)# policy-map type inspect ogacl-pmap Device(config-pmap)# class type inspect ogacl-cmap Device(config-pmap-c)# pass Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap-c)# drop Device(config-pmap-c)# end
Example: Configuring Zones for Object Groups
Device# configure terminal Device(config)# zone security outside Device(config-sec-zone)# exit Device(config)# zone security inside Device(config-sec-zone)# exit Device(config)# zone-pair security out-to-in source outside destination inside Device(conf-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/1/1 Device(config-if)# zone-member security inside Device(config-if)# exit Device(config)# interface gigabitethernet 0/1/0 Device(config-if)# zone-member security outside Device(config-if)# end
Example: Applying Policy Maps to Zone Pairs for Object Groups
Device# configure terminal Device(config)# zone-pair security out-to-in source outside destination inside Device(config-sec-zone-pair)# service-policy type inspect ogacl-pmap Device(config-sec-zone-pair)# end
Example: Verifying Object Groups for ACLs
The following example shows how to display all object groups:
Device# show object-group Network object group auth-proxy-acl-deny-dest host 209.165.200.235 Service object group auth-proxy-acl-deny-services tcp eq www tcp eq 443 Network object group auth-proxy-acl-permit-dest 209.165.200.226 255.255.255.224 209.165.200.227 255.255.255.224 209.165.200.228 255.255.255.224 209.165.200.229 255.255.255.224 209.165.200.246 255.255.255.224 209.165.200.230 255.255.255.224 209.165.200.231 255.255.255.224 209.165.200.232 255.255.255.224 209.165.200.233 255.255.255.224 209.165.200.234 255.255.255.224 Service object group auth-proxy-acl-permit-services tcp eq www tcp eq 443
The following example shows how to display information about specific object-group-based ACLs:
Device# show ip access-list my-ogacl-policy Extended IP access list my-ogacl-policy 10 permit object-group eng_service any any
Additional References for Object Groups for ACLs
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
ACL configuration guide |
Security Configuration Guide: Access Control Lists |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Object Groups for ACLs
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
Object Groups for ACLs |
Cisco IOS XE Release 3.12S |
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply them to access control lists (ACLs) to create access control policies for those groups. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so. You can use object-group ACLs with zone-based firewalls. The following commands were introduced or modified: deny, ip access-group, ip access-list, object-group network, object-group service, permit, show ip access-list, and show object-group. |