Get Full Access to our 685 Cisco Lessons Now Start $1 Trial
You are here: Home » ACL

Cisco ASA Object Group for Access-List

Imagine you have to manage a Cisco ASA firewall that has hundreds of hosts and dozens of servers behind it, and for each of these devices we require access-list rules that permit or deny traffic.

With so many devices you will have a LOT of access-list statements and it might become an administrative nightmare to read, understand and update the access-list.

To make our lives a bit easier, Cisco introduced the object-group on Cisco ASA Firewalls (and also on IOS routers since IOS 12.4.20T).

An object-group lets you “group” objects, this could be a collection of IP addresses, networks, port numbers, etc. Instead of creating an access-list with many different statements we can refer to an object-group. This makes the access-list smaller and easier to read. Whenever you make changes in the object-group, these are also reflected in the access-list.

There are different types of object groups, let’s take a look what options we have on the ASA:

ASA1(config)# object-group ?

configure mode commands/options:
  icmp-type  Specifies a group of ICMP types, such as echo
  network    Specifies a group of host or subnet IP addresses
  protocol   Specifies a group of protocols, such as TCP, etc
  security   Specifies identity attributes such as security-group
  service    Specifies a group of TCP/UDP ports/services
  user       Specifies single user, local or import user group

Let me give a quick explanation of each object-group:

  • icmp-type can be used to select all the different ICMP types, for example echo, echo-reply, traceroute, unreachable, etc.
  • network is used to select IP addresses and/or network addresses.
  • protocol lets you select an entire protocol. For example, TCP, UDP, GRE, ESP, AH, OSPF, EIGRP, and many others.
  • security is used for Cisco TrustSec.
  • service is used to select TCP and/or UDP port numbers.
  • user is to select local user groups for Identity Firewall.

In this lesson we will focus on network (used for IP addresses / network addresses) and service (used for TCP/UDP port numbers).

We will take a look at a couple of examples and you will see why object groups are very useful. I’ll start with a simple example for servers in the DMZ. Let’s say we have five web servers in the DMZ. This means we require access to TCP port 80 for their IP addresses. Our access-list could look like this:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.1 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.2 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.3 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.4 eq 80
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any host 192.168.3.5 eq 80

This will work but we require 5 statements in our access-list. Let’s see if we can make this smaller by using an object-group. First i’ll delete this access-list:

ASA1(config)# clear configure access-list HTTP_TO_DMZ

Now I will create a network object-group where I configure the IP addresses of all my servers in the DMZ:

ASA1(config)# object-group network WEB_SERVERS
ASA1(config-network-object-group)# network-object host 192.168.3.1
ASA1(config-network-object-group)# network-object host 192.168.3.2
ASA1(config-network-object-group)# network-object host 192.168.3.3
ASA1(config-network-object-group)# network-object host 192.168.3.4
ASA1(config-network-object-group)# network-object host 192.168.3.5

The object-group is ready, now we will create the access-list again and we’ll use the object-group in it:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 80

I reduced the access-list from five statements to just one statement. Instead of specifying each IP address separately, I refer to the object-group. This is useful right? If you look in the configuration you will find this single entry:

ASA1(config)# show run | include HTTP_TO_DMZ
access-list HTTP_TO_DMZ extended permit tcp any object-group WEB_SERVERS eq www

However if you look at the access-list, it will show you both the object-group and the specific entries:

ASA1(config)# show access-list HTTP_TO_DMZ 
access-list HTTP_TO_DMZ; 5 elements; name hash: 0x6ce713ae
access-list HTTP_TO_DMZ line 1 extended permit tcp any object-group WEB_SERVERS eq www (hitcnt=0) 0x0964f55b 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.1 eq www (hitcnt=0) 0x461c3d40 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.2 eq www (hitcnt=0) 0x3413c8db 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.3 eq www (hitcnt=0) 0x5ee1c727 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.4 eq www (hitcnt=0) 0x089ddde7 
  access-list HTTP_TO_DMZ line 1 extended permit tcp any host 192.168.3.5 eq www (hitcnt=0) 0x68e87688

The previous example should give you a good idea how you can use object groups to make your access-list smaller. Let’s continue by adding some more requirements. Let’s say that our web servers require access to some extra TCP ports…besides TCP port 80 we also need access to 22, 23 and 443.

We could update our access-list to add these ports:

ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 22
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 23
ASA1(config)# access-list HTTP_TO_DMZ permit tcp any object-group WEB_SERVERS eq 443

This does the job but now we have 4 statements…one for each TCP port. Instead of specifying the TCP port in each statement, we will create another object-group that combines all our TCP ports. Here’s what it will look like:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 685 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Give Membership a try - it's just $1 ►

655 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Asi,

    The “object network” command is to configure a single object:

    ASA1(config)# object network DMZ
ASA1(config-network-object)# ?

  description  Specify description text
  fqdn         Enter this keyword to specify an FQDN
  help         Help for network object configuration commands
  host         Enter this keyword to specify a single host object
  nat          Enable NAT on a singleton object
  no           Remove an object or description from object
  range        Enter this keyword to specify a range
  subnet       Enter this keyword to specify a subn
    ... Continue reading in our forum

  2. Thanks Rene,

    I got that but a doubt strike me - lets start with the below configuration:

    network object  TEST1
subnet 10.0.0.42.0 255.255.255.0

    object-group network dmz
ASA-FW01(config-network-object-group)?
  
  description     Specify description text
  group-object    Configure an object group as an object
  help            Help for network object-group configuration commands
  network-object  Configure a network object
  no              Remove an object or description from object-group

    ASA-FW01(config-network-object-group) network-object ?

  network-obj
    ... Continue reading in our forum

  3. Hi Asi,

    You don’t have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:

    ASA# show run | incl access-list VIRL
access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS

    The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:

    ASA# show access-list VIRL      
access-list VIRL; 12 elements; name hash: 0xa226aadb
access-list VIRL line 1 extended permit tcp any object VIRL ob
    ... Continue reading in our forum

  4. Hi Matt,

    I see what you mean. Normally the format of an extended access-list statement looks like this:

    So it kinda makes sense to use the service object group in the beginning since you specify the protocol with it. The big difference is that is also includes the port numbers which we normally end at the end of the statement.

    Rene

  5. Hi Jeff,

    These can be difficult to read if you find them in the running configuration. If you use the show access-list command, you can see the exact statements that are in effect. For example:

    access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

    Looks like:

    ASA1(config)# show access-list Access_in
access-list Access_in; 24 elements; name hash: 0x49ffabc6
access-list Access_in line 1 extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log informational interval 300 (hitcn
    ... Continue reading in our forum

14 more replies! Ask a question or join the discussion by visiting our Community Forum

We use cookies to give you the best personal experience on our website. By using our website, you agree to our use of cookies Read more.