© 2003, Cisco Systems, Inc. All rights reserved. CSPFA 3.18-1 Chapter 8 Object Grouping.

Презентация:



Advertisements
Похожие презентации
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
Advertisements

© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.
Option_W_3
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 15 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 7 Configure the Cisco VPN Firewall Feature for IPSec Software Client.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 12 Authentication, Authorization, and Accounting.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 12 Configure the Cisco Virtual Private Network Client Backup Server, and Load Balancing.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 11 Authentication, Authorization, and Accounting.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 10 Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Configuring IP ACLs.
Транксрипт:

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the PIX Firewalls object grouping feature and its advantages. Configure object groups. Configure nested object groups. Use object groups in ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Overview of Object Grouping

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Grouping Objects of Similar Types Services –SMTP –FTP Protocols –UDP –IPSec Networks/Hosts –Subnet /11 – – MYSERVICES MYPROTOCOLS MYCLIENTS

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Using Object Groups in ACLs pixfirewall(config)# access-list ACLOUT permit object-group MYPROTOCOLS object-group CLIENTS object-group SERVERS pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Getting Started with Object Groups

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring and Using Object Groups Complete the following tasks to create object groups and use them in your configuration: Task 1Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2In subcommand mode, define the members of the object group. Task 3(Optional.) Use the description sub-command to describe the object group. Task 4Use the exit or quit command to return to configuration mode. Task 5(Optional.) Use the show object-group command to verify that the object group has been configured successfully. Task 6Apply the access-list command to the object group. Task 7(Optional.) Use the show access-list command to display the expanded access-list entries.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA object-group Command Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode. pixfirewall(config)# object-group network CLIENTS pixfirewall(config)# object-group network grp_id object-group service grp_id tcp | udp | tcp-udp object-group protocol grp_id object-group icmp-type grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode. Assigns a name to a Service group and enables the Service subcommand mode. Assigns a name to a Network group and enables the Network subcommand mode. Assigns the name CLIENTS to a Network group and enables the Network subcommand mode.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Object Groups

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Network Object Groups Creates a Network object group named CLIENTS which consists of host , host , and network pixfirewall(config)# object-group network CLIENTS pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object network-object host host_addr | host_name pixfirewall(config-network)# pixfirewall(config)# object-group network grp_id Assigns hosts to the Network object group. Assigns a name to the group and enables the Network sub-command mode. network-object net_addr netmask pixfirewall(config-network)# Assigns networks to the Network object group.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Service Object Groups pixfirewall(config)# object-group service MYSERVICES tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq ftp port-object eq service pixfirewall(config-service)# Assigns a single TCP or UDP port number to the Service object group. Creates a Service group named MYSERVICES, which contains HTTP and FTP. port-object range begin_service end_service pixfirewall(config-service)# Assigns a range of TCP or UDP port numbers to the Service object group. object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# Assigns a name to a Service group and enables the Service sub-command mode.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Protocol Object Groups pixfirewall(config)# object-group protocol MYPROTOCOLS pixfirewall(config-protocol)# protocol-object icmp pixfirewall(config-protocol)# protocol-object tcp protocol-object protocol pixfirewall(config-protocol)# Assigns a protocol to the Protocol object group. Creates a Protocol group named MYPROTOCOLS, which contains ICMP and TCP. object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol sub-command mode.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply icmp-object icmp-type pixfirewall(config-icmp-type)# Assigns an ICMP message type to the object group. Creates an ICMP-Type group named PING which contains echo and echo-reply message types. object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the icmp-type sub-command mode.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Nested Object Groups

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1Assign a group identity to the object group that you want to nest within another object group. Step 2Add the appropriate type of objects to the object group. Step 3Assign a group identity to the object group within which you want to nest another object group. Step 4Add the first object group to the group that will contain it. Step 5Add any other objects that are required to the group.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA group-object Command pixfirewall(config)# object-group service SERVICESA tcp pixfirewall(config-service)# port-object eq smtp pixfirewall(config-service)# port-object eq ftp pixfirewall(config-service)# exit pixfirewall(config)# object-group service SERVICES tcp pixfirewall(config-service)# group-object SERVICESA group-object object_group_id pixfirewall(config-group-type)# Nests an object group within another object group.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA access-list Command for Object Grouping pixfirewall(config)# access-list ACLIN permit tcp object-group REMOTECLIENTS object-group LOCALSERVERS object-group MYSERVICES access-list acl_ID deny | permit object-group protocol_obj_grp_id object-group network_obj_grp_id [object-group service_obj_grp_id] object-group network_obj_grp_id object-group service_obj_grp_id pixfirewall(config)# Create an access list containing object groups.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Nested Object Group Example pixfirewall(config)# object-group network HOSTGROUP1 pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network HOSTGROUP2 pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network ALLHOSTS pixfirewall(config-network)# group-object HOSTGROUP1 pixfirewall(config-network)# group-object HOSTGROUP2 pixfirewall(config-network)# exit pixfirewall(config)# access-list ALL permit tcp object-group ALLHOSTS any eq ftp pixfirewall(config)# access-group ALL in interface inside

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Multiple Object Groups in ACLs pixfirewall(config)# show object- group object-group network REMOTES network-object host network-object host object-group network LOCALS1 network-object host network-object host object-group network LOCALS2 network-object host network-object host object-group network ALLLOCALS group-object LOCALS1 group-object LOCALS2 object-group service BASIC port-object eq ftp port-object eq smtp pixfirewall(config)# access-list INBOUND permit tcp object-group REMOTES object-group ALLLOCALS object-group BASIC pixfirewall(config)# show static static(inside,outside) netmask static(inside,outside) netmask static(inside,outside) netmask static(inside,outside) netmask

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Display Configured Object Groups Displays object groups in the configuration. pixfirewall(config)# show object-group object-group network HOSTGROUP1 network-object host network-object host object-group network HOSTGROUP2 network-object host network-object host object-group network ALLHOSTS group-object HOSTGROUP1 group-object HOSTGROUP2 show object-group [protocol | service | icmp-type | network] pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Removing Configured Object Groups Removes a specific service object group. Removes all object groups or all object groups of a specific type. pixfirewall(config)# no object-group network ALLHOSTS pixfirewall(config)# clear object-group protocol no object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# clear object-group [protocol | service | icmp-type | network] pixfirewall(config)# Removes object group ALLHOSTS and all Protocol object groups. Removes a specific protocol, network or icmp-type object group. no object-group protocol | network | icmp-type grp_id pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary You can group network objects, services, protocols, and ICMP message types to reduce the number of ACLs required to implement your security policy. The main Object Grouping command, the object-group command, names your object group and enables a sub-command mode for the type of object you specify. Members of an object group are defined in its sub-command mode. Hierarchical object grouping enables greater flexibility and modularity for specifying ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Remote: 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web/FTP RBB.2 bastionhost: Web/FTP P Q.0 bastionhost: Web/FTP.1