Jul 24, 2010

Simplifying ACEs using object-groups

In this post I will present some simplification to implement an ACE using object-group. This is not described in the ASA/PIX command reference (only in the configuration guide example of this configuration in the Cisco portal).

Service object-groups, defined to tcp-udp or any protocol (supported since OS version 8.x), may be applied as the protocol argument of an ACE. This is very useful when one need to implement rules for traffic that is transported both on TCP as UDP (e.g., DNS) or if we just like to keep the ACL line numbers as low as possible.

To create an ACE to permit IPSec traffic:

asa(config)# object-group service ipsec_protocols
asa(config-service)# service-object esp
asa(config-service)# service-object ah
asa(config-service)# service-object udp eq isakmp
asa(config-service)# service-object udp eq 4500
asa(config-service)# exit
asa(config)# access-list inside_access_in extended permit object-group ipsec_protocols any any

The eq operator may be omitted while pushing the commands. The resulting rules are:

access-list inside_access_in line 1 extended permit object-group ipsec_protocols any any 0xaefe6069
   access-list inside_access_in line 1 extended permit esp any any (hitcnt=0) 0x42618d78
   access-list inside_access_in line 1 extended permit ah any any (hitcnt=0) 0xd11198fa
   access-list inside_access_in line 1 extended permit udp any any eq isakmp (hitcnt=0) 0xfea7aa72
   access-list inside_access_in line 1 extended permit udp any any eq 4500 (hitcnt=0) 0xa3677aab


To allow both DNS queries and zone transfer:

asa(config)# object-group service DNS
asa(config-service)# service-object tcp-udp eq domain
asa(config-service)# exit
asa(config)# access-list inside_access_in extended permit object-group DNS any any

In this case, the object-group could be defined to tcp-udp also:

asa(config)# object-group service DNS tcp-udp
asa(config-service)# port-object eq domain

Note that in this second example you must use the port-object command instead of service-object. The resulting rules for the above object-groups are:

access-list inside_access_in line 2 extended permit object-group DNS any any 0xcfb04a70
   access-list inside_access_in line 2 extended permit tcp any any eq domain (hitcnt=0) 0x88d26f2a
   access-list inside_access_in line 2 extended permit udp any any eq domain (hitcnt=0) 0xcf394c76


Curiosity:

There is an example in the ASA OS 8.2 configuration guide showing service-objects of types tcp, udp or tcp-udp with source and/or destination ports:


So far I've never found a release that supports those commands. It just looks like NetScreen configuration.


asa(config)# end
asa# wr mem

No comments:

Post a Comment