Let's use a configuration example to illustrate the difference betwwen "object group" and "simple ACL" configuration. In this example, "simple access-list" have been used first and later "object group". At the end of this post, we will clarify the difference.
Tasks :
The example is about restricting several hosts having the following respective ip addresses 10.1.1.4, 10.1.1.78 and 10.1.1.89, located on the inside network from accessing several web servers (209.165.201.29, 209.165.201.16 and 209.165.201.78) . All other traffic is allowed.
Simple ACL configuration :
(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www
(config)# access-list ACL_IN extended permit ip any any
(config)# access-group ACL_IN in interface inside
/* the access-list denies 3 hosts (10.1.1.4, 10.1.1.78 and 10.1.1.89) located in the inside zone from access the following web servers : 209.165.201.29, 209.165.201.16 and 209.165.201.78 */
/* the "access-group" command applies this acl named "ACL_IN" in the inside interface of the Cisco ASA "inboundly" */
/* Note that using simple ACL, we need 11 lines of commands to resolve this scenario. Let's see how we would have done it using object group in the following lines*/
Object group ACL configuration :
(config)# object-group network denied
(config-network)# network-object host 10.1.1.4
(config-network)# network-object host 10.1.1.78
(config-network)# network-object host 10.1.1.89
(config-network)# object-group network web
(config-network)# network-object host 209.165.201.29
(config-network)# network-object host 209.165.201.16
(config-network)# network-object host 209.165.201.78
(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www
(config)# access-list ACL_IN extended permit ip any any
(config)# access-group ACL_IN in interface inside
Cisco objects group Vs simple access-list
The goal of object group is to simplify ACL configuration in Cisco ASA by reducing the number of commands needed to accomplish an ACl task.
When we take a look at our example above, there is no difference at first : the same number of command lines (in this case 11) have been used to accomplish the task both using simple ACL and object group. SO WHAT'S THE DEFFERENCE ? WHICH ONE IS BETTER ? The answer is "objects group". Let me explain why. Suppose we wanted to add a fourth web server (209.165.201.80) in the list of servers that shouldn't be accessed. Using "object group", we would have gone into the "web object group configuration mode" and just add the new web server ip address, that is it, just one more line. If we were using "simple ACL", we would have added 3 more lines of commands, the following 3 lines instead of 1 :
(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.80 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.80 eq www
(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.80 eq www
Seeing the difference ?
To know more about object, visite this Cisco's page
No comments:
Post a Comment