Object Grouping

Introduced in PIX software v6.2, object grouping is a major advancement toward making very complex access lists much simpler to configure on the PIX. Before the object-grouping feature was available, each unique network, node, service, and protocol combination that needed to be defined in an access list had to be configured with a separate access-list statement. However, in most organizational security policies, groups of entries have similar access rights. Object groups allow groups of network addresses, services, protocols, and ICMP types to be defined, thereby reducing the number of access list entries needed.

For example, say that an organization wants to deny inside users access to a number of external FTP servers because they are known to be sources of illegal software and viruses. Without object groups, an access list entry has to be defined for each individual FTP server. However, using object groups, we can define a network object group containing a list of hosts that contains all the IP addresses of the banned FTP servers. IP addresses can easily be added and removed from this group at will. Now, only one access list entry has to be created denying access to the object group from the inside. The access list does not need to be modified if entries are added or removed from the object group. As you can see, object groups allow for simplification of access list configuration and maintenance.

Configuring and Using Object Groups

There are four types of object groups: icmp-type, protocol, network, and service. Each object group type corresponds to a field in the access-list or conduit command. Once an object group has been created, a subconfiguration mode is entered so the group can be populated. Each object group type has different subconfiguration options, so we will look at each separately. Once an object group has been configured, it can be used in an access-list or conduit command.

ICMP-Type Object Groups

An ICMP-type object group is a group of ICMP-type numerical or literal values. ICMP-type object groups can be used in place of the icmp-type parameter in an access list or conduit. To create an ICMP-type object group, the syntax is:

object-group icmp-type <grp_id>

Once an object group has been defined, the subconfiguration mode enables the object group to be populated. At this stage, an optional description can be specified using the description subcommand. To populate the ICMP-type object group, the syntax is as follows:

icmp-object <icmp_type>

For example, the following object group defines ICMP-type values that will be used later with an access list or conduit:

PIX1(config)# object-group icmp-type icmp-grp PIX1(config-icmp-type)# description ICMP Type allowed into the PIX PIX1(config-icmp-type)# icmp-object echo-reply PIX1(config-icmp-type)# icmp-object unreachable PIX1(config-icmp-type)# exit PIX1(config)# exit 

Network Object Groups

A network object group is a group of host IP addresses or networks. Network object groups can be used in place of a src_addr or dst_addr parameter in an access list or conduit statement. To create a network object group, the syntax is as follows:

object-group network <grp_id> 

Network object groups have two subcommands for defining the group of hosts and networks. The syntax for defining a host entry in the object group is:

network-object host <host_addr | host_name>

The host_addr parameter is the IP address of the host being added to the object-group. Alternatively, the host_name parameter specifies the hostname of a host defined using the name command.

The syntax for defining a network entry in the object group is:

network-object <net_addr> <netmask>

For example, the following object group defines host and network values to be used later with an access list or conduit:

PIX1(config)# object-group network net-grp PIX1(config-network)# description List of Public HTTP Servers PIX1(config-network)# network-object host 192.168.1.10 PIX1(config-network)# network-object host 172.16.10.1 PIX1(config-network)# network-object 172.16.2.0 255.255.255.0 PIX1(config-network)# exit PIX1(config)# exit 

Protocol Object Groups

A protocol object group is a group of protocol numbers or literal values. Protocol object groups can be used in place of the protocol parameter in an access list or conduit. To create a protocol object group, the syntax is as follows:

object-group protocol <grp_id> 

Once an object group has been defined, the subconfiguration mode enables the object group to be populated. To populate the protocol object group, the syntax is:

protocol-object <protocol>

The protocol parameter is a protocol number or literal value. For example, the following object group defines a group of protocols that will be used later with an access list or conduit to provide VPN access:

PIX1(config)# object-group protocol vpn-grp PIX1(config-protocol)# description Protocols allowed for VPN Access PIX1(config-protocol)# protocol-object ah PIX1(config-protocol)# protocol-object esp PIX1(config-protocol)# protocol-object gre PIX1(config-protocol)# exit PIX1(config)# exit 

Service Object Groups

A service object group is a group of TCP and/or UDP port numbers or port number ranges. Service object groups can be used in place of the port parameter in an access list or a conduit. The syntax to create a service object group is as follows:

object-group service <grp_id> tcp|udp|tcp-udp

Since a service object group is a listing of ports and port ranges, the ports defined need to be configured as TCP, UDP, or both TCP and UDP. The tcp, udp, and tcp-udp keywords define the common IP protocol for all ports listed in the object group. The subconfiguration command syntax to populate the service object group with a single port is:

port-object eq <port> 

The subconfiguration command syntax to populate the service object group with a range of ports is:

port-object range <begin-port> <end-port>

For example, the following object group defines a group of ports that all Web servers within in organization need to have opened on the firewall:

PIX1(config)# object-group service websrv-grp tcp PIX1(config-service)# description Ports needed on public web servers PIX1(config-service)# port-object eq 80 PIX1(config-service)# port-object eq 8080 PIX1(config-service)# port-object range 9000 9010 

To verify that an object group was created and populated with the correct information, we can view the current object group configuration using the show object-group command:

PIX1# show object-group  object-group icmp-type icmp-grp   description: ICMP Type allowed into the PIX   icmp-object echo-reply   icmp-object unreachable object-group network net-grp   description: List of Public HTTP Servers   network-object host 192.168.1.10   network-object host 172.16.10.1   network-object 172.16.2.0 255.255.255.0 object-group protocol vpn-grp   description: Protocols allowed for VPN Access   protocol-object ah   protocol-object gre   protocol-object esp object-group service websrv-grp tcp   description: Ports needed on public web servers   port-object eq www   port-object eq 8080   port-object range 9000 9010

If one of the object groups does not look correct or is not needed, it can be removed using the no object-group <grp_id> command.

Object groups can be used in place of their respective values in access lists or conduits, but they must be preceded by the object-group keyword. For example, to allow the ICMP type values defined in the icmp-grp object group to enter the PIX's outside interface, the access-list command is:

PIX1(config)# access-list icmp_in permit icmp any any object-group icmp-grp 

To allow access to the Web servers defined in the net-grp on the ports defined in websrv-grp, the command is:

PIX1(config)# access-list outside_in permit tcp any object-group net-grp object-group websrv-grp 

One nice feature of object groups is the ability to nest object groups of the same type together. For example:

PIX1(config)# object-group network all-servers PIX1(config-network)# group-object net-grp PIX1(config-network)# network-object 172.16.3.0 255.255.255.0