I am currently migrating some PIX firewalls to ASA and I have been rewriting the access-lists to be more efficient and easy to read. This is done by using objects and object-groups. Lets first talk about objects, the object can only have one entry, it is useful if we want to reference a single host or a single subnet, this is the syntax:

object network WEBSERVER
host 1.1.1.1

This means that we we write our ACL, lets call it OUTSIDE_IN we can reference this object. So instead of access-list OUTSIDE_IN permit tcp any 1.1.1.1 eq http we get access-list OUTSIDE_IN permit tcp any object WEBSERVER eq http. This makes our ACL’s a little easier to read although something at port 80 is quite easy to say what it does but we can use the same technique for all servers or objects that we want to reference by name. I could also have done this with a subnet:

object network GUEST-SUBNET
subnet 192.168.33.0 255.255.255.0

I could then use this in my ACL instead of using 192.168.33.0 and I would immidiately now what this subnet is for if I need to read the ACL.

I can also do more complex things using object-groups. Lets say that we have a company with a lot of webservers and we want to permit HTTP from the outside in. We might not want to permit HTTP to the whole subnet but only to the hosts, this would mean 5 lines of ACL, a different approach is to use object-groups:

object-group network WEBSERVERS
network-object host 1.1.1.1
network-object host 1.1.1.2
network-object host 1.1.1.3
network-object host 1.1.1.4
network-object host 1.1.1.5

The ACL line would then be access-list OUTSIDE_IN permit tcp any object-group WEBSERVERS eq http. This means one line instead of five. Our ACL will be much more readable when doing a show run. If we do a show access-list the access-list will be expanded to show the host entries.

We can also use object-groups to group ports. Lets say that the webservers should also be accessible from HTTPS(443) and SSH(22). We can group this together and do:

object-group service WWW-HTTPS-SSH tcp
port-object eq www
port-object eq ssh
port-object eq https

Then my ACL will be access-list OUTSIDE_IN permit tcp any object-group WEBSERVERS object-group WWW-HTTPS-SSH. This will save us a lot of lines and also make more readable ACL’s. This is a powerful feature and I suggest you start using it.

Cisco ASA – Efficient access-lists with object-groups
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *