TheTAZZone - Internet Chaos

Cisco PIX – Object Grouping for quick and easy ACL’s.

ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

PIX 6: Object Grouping

It is recommended to read Access Control Lists and Content Filtering before reading this:

http://tazforum.thetazzone.com/viewtopic.php?t=3848

When configuring access and rules for the PIX, if you have a lot of servers, protocols, ICMP filtering and networks that you need to configure access lists for, pretty soon creating individual ACL’s will become a very complicated thing; for this reason Cisco have created the Object Group feature.

Object Grouping is supported by version 6.2 and later of the PIX Operating System.

Object grouping allows you to group together the following:

Network – to group hosts and subnets
Protocol – to group IP protocols such as TCP, UDP etc
Service – to group port numbers, hence services
ICMP-type – to group ICMP types

After creating a group, you can apply an access list to everything that is in the group.

Network Object-Group
Say for example if you have five web-servers all needing an external presence ( a NAT and an ACL) instead of having to create an ACL for each of them, you can group them altogether in a network object group and just have the one ACL that will apply for all of them.

So, say your web servers are addressed as 10.10.10.1 all the way to 10.10.10.5 and you have gave each of them a static NAT ranging from 80.80.80.81 to 80.80.80.85.

Now that you have NAT’d those to an external IP, you now need to configure an access rule to say that traffic is permitted to be sent to them. Without Object Grouping you would have to write five different ACL’s, which whilst it doesn’t sound very time consuming, imagine you have 10 web servers, 5 FTP servers and a mail server, there is 16 ACL’s at a minimum – also when you look at the running config you now have 16 ACL’s to trawl through. With Object grouping we can reduce this to just 3 ACL’s.

We create an Object Group like so:

Code: Select all
London(config)# object-group network WEB-SERVERS
London(config-network)# description Billing Web Servers
London(config-network)# network-object host 80.80.80.81
London(config-network)# network-object host 80.80.80.82
London(config-network)# network-object host 80.80.80.83
London(config-network)# network-object host 80.80.80.84
London(config-network)# network-object host 80.80.80.85
London(config-network)#exit
London(config)#access-list OUTSIDE_ACL permit tcp any object-group WEB-SERVERS eq www
London(config)#access-group OUTSIDE_ACL in interface outside

Ok, so let’s break this down. Our first command tells the PIX we are configuring an object-group and it is going to be a network object group and that we are going to call it WEB-SERVERS

Code: Select all
London(config)# object-group network WEB-SERVERS

Notice the prompt now changes to

Code: Select all
London(config-network)#

To let us know we are configusing a network object group.

Then we gave it a description, the description should be intuitive to the type of group you are configuring to aid yourself and future admins when configuring the firewall. The key-word to enter a description is description funnily enough:

Code: Select all
London(config-network)# description Billing Web Servers

Then we defined what is actually in the network object-group:

Code: Select all
London(config-network)# network-object host 80.80.80.81

The first part of the command tells the PIX that we want to add a network-object to the object-group and that this object is the host with the IP of 80.80.80.81 we then do this for every host we want to place in this object group.

**As the ACL is going on the outside interface, it will be dealing with the external IP addresses (the incoming packets will be destined for the 80.80.80.x address not the 10.10.10.x one) we need to use the external IP of the host. Names can also be used if you have previously configured them**

So after we have added all the necessary hosts to the object group we save it by exiting from the object-group sub menu:

Code: Select all
London(config-network)#exit

The first thing to note is that it brings us out of the object-group sub menu and places us back in to the global configuration menu. We can tell this as the prompt is now:

Code: Select all
London(config)#

So we have now told the PIX we want to define a network object group, we want to call it WEB-SERVERS and we have told it what hosts we want to place in this object group.
Now we need to take the object-group and apply it to an ACL, as this is the reason we have defined it in the first place.

To do this we configure an ACL in the normal way but where we would put the local host in, we put the name of the object group

Code: Select all
London(config)#access-list OUTSIDE_ACL permit tcp any object-group WEB-SERVERS eq www

We start the command off in the normal way by telling the PIX we are configuring an access-list and that we want to call this access list OUTSIDE_ACL then we tell it what we want the ACL to do by configuring it to permit tcp traffic from any host that is destined for anything defined in the object-group called WEB-SERVERS and if the packet equals www (HTTP) it is allowed to pass through in accordance with the NAT rule in place for it.

Without an object group we would need to configure five different ACL’s, one for each host.

Service Object-Group
We can also use object groups to group types of Service/Ports such as HTTP, HTTPS, FTP etc

Code: Select all
London(config)# object-group service WEBandFTP tcp
London(config-service)# port-object eq ftp
London(config-service)# port-object eq http
London(config-service)# port-object range 2000 3000
London(config-service)# exit
London(config)# access-list OUTSIDE_ACL permit tcp any any object-group WEBandFTP
London(config)# access-group OUTSIDE_ACL in interface outside

We define the object group in the same way as the network object group with the exception that we use the key word “service” instead of “network” and then name it something intuitive as to what it will do. Directly after the name we inform the PIX what IP protocol we want to use, the options for this are:

TCP
UDP
TCP-UDP

As the services defined in the object group (FTP and HTTP) use TCP I only need to define TCP after the object group name. Next instead of adding hosts like we done in the network object group, we add the ports/services we want to group together. I added the following command:

Code: Select all
London(config-service)# port-object range 2000 3000

To illustrate how to group a range of ports together.

Then all that is left to do is apply the object group to an ACL and apply the ACL to an interface if needed.

Code: Select all
London(config)# access-list OUTSIDE_ACL permit tcp any any object-group WEBandFTP
London(config)# access-group OUTSIDE_ACL in interface outside

We can also take the service object groups one step further by having multiple object groups within the same ACL:

Code: Select all
(
London(config)# object-group service PERMITED-PORTS  tcp
London(config-service)# port-object eq ftp
London(config-service)# port-object range 2020 2021
London(config-service)# exit
London(config)# object-group service HIGH-PORTS tcp
London(config-service)# port-object range 1024 65535
London(config-service)# exit
London(config)# access-list OUTSIDE_ACL permit tcp any object-group HIGH-PORTS any object-group PERMITED-PORTS

Here we have defined two port groups, one consisting of permitted ports, in our case FTP and a custom FTP port, and then we defined another service group and included all high-range ports.

In the ACL we are permitting traffic from any host with a source port of any between 1024 and 65535 to go to any host as long as the destination port is in the PERMITED-PORTS object group (21, 2020 or 2021)

ICMP Object-Groups
We can group ICMP types in an object group:

Code: Select all
London(config)# object-group icmp-type PERMITTED_ICMP
London(config-icmp-type)# icmp-object time-exceeded
London(config-icmp-type)# icmp-object echo
London(config-icmp-type)# icmp-object 3
London(config-icmp-type)# exit
London(config)# access-list OUTSIDE_ACL permit icmp any any object-group PERMITTED_ICMP

You can use either the RFC compliant numerical value for the ICMP type or use the ICMP type name.

I think the ICMP object group speaks for itself so will not elaborate on it other than to say use the ICMP types wisely and do not allow unrestricted ICMP in to your network.
You can find a list for all the ICMP types and their respective numbers here:

http://www.iana.org/assignments/icmp-parameters

Protocol Object-Groups
IP types can also be grouped together with protocol object groups providing that they are the standard PIX protocol names allowed in an access-list such as TCP, UDP, GRE), EIGRP etc. Basically if the protocol sits on top of TCP or UDP then it cannot be specified with a protocol object group.

Code: Select all
London(config)# object-group protocol WEBSERVERandROUTER
London(config-protocol)# protocol-object tcp
London(config-protocol)# protocol-object udp
London(config-protocol)# protocol-object eigrp
London(config-protocol)# exit
London(config)# access-list OUTSIDE_ACL permit object-group WEBSERVERandROUTER any any

Nesting Object-Groups
Finally it is possible to nest and object group, within an object group of the same type.

So:

Code: Select all
London(config)# object-group network ABC-WEBSERVERS
London(config-network)# network-object host 80.80.80.100
London(config-network)# network-object host 80.80.80.101
London(config-network)# exit
London(config)# object-group network 123-WEBSERVERS
London(config-network)# network-object host 100.100.100.100
London(config-network)# network-object host 100.100.100.101
London(config-network)# exit
London(config)# object-group network ALL_WEBSERVERS
London(config-network)# group-object ABC_WEBSERVERS
London(config-network)# group-object 123-WEBSERVERS
London(config-network)# exit

We have defined two object groups, containing web servers belonging to two different companies, ABC and 123 respectively this will allow us to configure separate access lists containing separate object groups but we have also made a third object group called ALL-WEBSERVERS which will allow us to apply an ACL to all web servers for both companies.

This can easily be done for any of the four different types of object groups, but remember they have to be of the same type, i.e. you can not nest a protocol object group in with a service object group.

**One point I forgot to mention, the “exit” command save the newly defined object group to the running config.**

Next PIX instalment will be Modular Policy Framework (MPF)

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.