I am currently migrating some PIX firewalls to ASA and I have been rewriting the access-lists to be more efficient and easy to read. This is done by using objects and object-groups. Lets first talk about objects, the object can only have one entry, it is useful if we want to reference a single host or a single subnet, this is the syntax:
This means that we we write our ACL, lets call it OUTSIDE_IN we can reference this object. So instead of access-list OUTSIDE_IN permit tcp any 22.214.171.124 eq http we get access-list OUTSIDE_IN permit tcp any object WEBSERVER eq http. This makes our ACL’s a little easier to read although something at port 80 is quite easy to say what it does but we can use the same technique for all servers or objects that we want to reference by name. I could also have done this with a subnet:
I could then use this in my ACL instead of using 192.168.33.0 and I would immidiately now what this subnet is for if I need to read the ACL.
I can also do more complex things using object-groups. Lets say that we have a company with a lot of webservers and we want to permit HTTP from the outside in. We might not want to permit HTTP to the whole subnet but only to the hosts, this would mean 5 lines of ACL, a different approach is to use object-groups:
The ACL line would then be access-list OUTSIDE_IN permit tcp any object-group WEBSERVERS eq http. This means one line instead of five. Our ACL will be much more readable when doing a show run. If we do a show access-list the access-list will be expanded to show the host entries.
We can also use object-groups to group ports. Lets say that the webservers should also be accessible from HTTPS(443) and SSH(22). We can group this together and do:
Then my ACL will be access-list OUTSIDE_IN permit tcp any object-group WEBSERVERS object-group WWW-HTTPS-SSH. This will save us a lot of lines and also make more readable ACL’s. This is a powerful feature and I suggest you start using it.