The Basics of Object Grouping

Another new feature introduced in version 6.2 is object grouping for access control lists and conduit commands. Object grouping creates groups of networks, services, ICMP, and protocols that allow themselves to be joined together in access lists, conduits , or members of other object groups.

Object groups enable you to save the amount of access list entries needed to create large ACLs by allowing you to reference object groups. For example, a typical access list that needs 5 IP addresses and 3 services (such as Telnet, WWW, and FTP) for each would require 15 ACL entries. If you used object grouping, you would need only 1 object group for the 5 IP addresses ( network ) and 1 object group for the 3 ports (Telnet, WWW, and FTP [ services ]). Then, you could join these 2 groups with a single access list. The result of the 2 groups would produce a large list of 15 entries that contains every combination of IP address and services.

When working on large, complex access lists, object groups enable you to save on the number of entries needed to create the access list.

Figure 6.5 displays an access list joining two object groups into one access list entry that contains every combination of the two object groups.

Types of Object Groups

The four types of object group commands that can be used are network , service , protocols , and icmp-types . Table 6.9 displays the object group commands.

Table 6.9. Types of object-group Commands

The object group commands listed in Table 6.9 place you into a subconfiguration mode. To leave this mode, just type exit to return to the normal configuration mode prompt.

Know the four types of object groups: network, service, protocol , and icmp-type . Also, be sure you know the commands needed to create them.

Object Group Networks

Network groups are used to create large lists of hosts or networks that can be used in access list commands. The command sequence is shown in Listing 6.12, and the options are listed in Table 6.10.

Listing 6.12 object-group Network Commands

 Pixfirewall(config)# object-group network obj_grp_id Pixfirewall(config-network)# description Pixfirewall(config-network)# network-object host host_address Pixfirewall(config-network)# network-object network_address subnet_mask Pixfirewall(config-network)# group-object 

Table 6.10. object-group network Command Options

Listing 6.13 displays a network object group called TheNetworkList being created. The description is set, and four host addresses and one subnet entry are added to the group.

Listing 6.13 Example of the object-group network Command

 pixfirewall(config)# object-group network TheNetworkList pixfirewall(config-network)# description This is my great network list pixfirewall(config-network)# network-object host 10.0.0.1 pixfirewall(config-network)# network-object host 10.0.0.2 pixfirewall(config-network)# network-object host 10.0.0.3 pixfirewall(config-network)# network-object host 10.0.0.4 pixfirewall(config-network)# network-object 11.0.0.0 255.0.0.0 pixfirewall(config-network)# exit pixfirewall(config)# show object-group id TheNetworkList object-group network TheNetworkList   description: This is my great network list   network-object host 10.0.0.1   network-object host 10.0.0.2   network-object host 10.0.0.3   network-object host 10.0.0.4   network-object 11.0.0.0 255.0.0.0 pixfirewall(config)# 

Object Group Services

Service groups are used to create lists of TCP and UDP port number services, such as Telnet, WWW, and FTP. The command sequence is shown in Listing 6.14.

Listing 6.14 object-group Services Commands

 Pixfirewall(config)# object-group service obj_grp_id tcpudptcp-udp Pixfirewall(config-service)# description Pixfirewall(config-service)# port-object eqrange Pixfirewall(config-service)# group-object 

Table 6.11 displays the commands and syntax needed to support the object-group service command.

Table 6.11. object-group services Command Options

Listing 6.15 displays a service object group called ThePortList being created. This group sets the description and creates matching entries for Telnet, WWW, and FTP ports. Lastly, a range of ports from 1433 to 1435 is set.

Listing 6.15 Example of the object-group service Command

 pixfirewall(config)# object-group service ThePortList tcp pixfirewall(config-service)# description This is my great port list pixfirewall(config-service)# port-object eq telnet pixfirewall(config-service)# port-object eq www pixfirewall(config-service)# port-object eq ftp pixfirewall(config-service)# port-object range 1433 1435 pixfirewall(config-service)# exit pixfirewall(config)# show object-group id ThePortList object-group service ThePortList tcp   description: This is my great port list   port-object eq telnet   port-object eq www   port-object eq ftp   port-object range 1433 1435 pixfirewall(config)# 

Object Group Protocols

Protocol groups enable you to create a group of protocols such as IP, TCP, UDP, or ICMP. This object group can be used in the protocol portion of an access list command. The command sequence is shown in Listing 6.16.

Listing 6.16 object-group protocol Commands

 Pixfirewall(config)# object-group protocol obj_grp_id Pixfirewall(config-protocol)# description Pixfirewall(config-protocol)# protocol-object protocol Pixfirewall(config-protocol)# group-object 

Table 6.12 displays the command options for the object-group protocol command.

Table 6.12. object-group protocol Command Options

Listing 6.17 displays a protocol object group called TheProtocolList being created. This group sets the description and creates three entries for TCP, UDP, and GRE protocols.

Listing 6.17 Example of the object-group protocol Command

 pixfirewall(config)# object-group protocol TheProtocolList pixfirewall(config-protocol)# description This is my great protocol list pixfirewall(config-protocol)# protocol-object tcp pixfirewall(config-protocol)# protocol-object udp pixfirewall(config-protocol)# protocol-object gre pixfirewall(config-protocol)# exit pixfirewall(config)# show object-group id TheProtocolList object-group protocol TheProtocolList   description: This is my great protocol list   protocol-object tcp   protocol-object udp   protocol-object gre pixfirewall(config)# 

After the object-group protocol FastStuff command, the next line takes you into the configuration for that object group ( FastStuff ). The command prompt displays pixfirewall(config-protocol)# .

ICMP Groups

ICMP groups enable you to create groups based on ICMP messages. Listing 6.18 shows the syntax for this command.

Listing 6.18 object-group icmp Commands

 Pixfirewall(config)# object-group icmp-type obj_grp_id Pixfirewall(config-icmp-type)# description Pixfirewall(config-icmp-type)# icmp-object type Pixfirewall(config-icmp-type)# group-object 

Table 6.13 displays the options for the object-group icmp command.

Table 6.13. object-group icmp Command Options

Listing 6.19 displays an ICMP object group called TheICMPList being created. This group sets the description and creates two ICMP entries: echo and echo-reply .

Listing 6.19 Example of the object-group icmp-type Command

 pixfirewall(config)# object-group icmp-type TheICMPList pixfirewall(config-icmp-type)# description This is my great icmp list pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply pixfirewall(config-icmp-type)# exit pixfirewall(config)# show object-group id TheICMPList object-group icmp-type TheICMPList   description: This is my great icmp list   icmp-object echo   icmp-object echo-reply pixfirewall(config)# 

Displaying Object Groups

To display existing object groups, you can use the show object-group commands, which are explained in Table 6.14.

Table 6.14. show object-group Commands

Deleting Object Groups

To delete an object group, you must first remove it from any other reference that might be using it. For example, if the object group TheICMPList is being used by an access list, you must remove it from the access list before you can delete it. Table 6.15 displays the commands used to delete object groups.

Table 6.15. clear object-group Commands

The command shown here deletes the object group called TheICMPList :

 pixfirewall(config)#  no object-group icmp-type TheICMPList 

Nesting Object Groups

Object groups can also be nested inside other object groups. In Figure 6.6, two network groups are referenced in a third network object group. This new group could then be used by an access list or conduit command to produce the result of all the addresses.

One restriction is that you can only nest groups of the same type. For example, network groups can be nested only into other network groups.

To demonstrate , Listing 6.20 shows how two groups can be nested into a third group.

Listing 6.20 Nesting object-group Commands Example

 pixfirewall(config)# object-group network TheIPList1 pixfirewall(config-network)# description This is my great list 1 pixfirewall(config-network)# network-object host 10.0.0.1 pixfirewall(config-network)# network-object host 10.0.0.2 pixfirewall(config-network)# network-object host 10.0.0.3 pixfirewall(config-network)# network-object host 10.0.0.4 pixfirewall(config-network)# network-object host 10.0.0.5 pixfirewall(config-network)# exit pixfirewall(config)# pixfirewall(config)# object-group network TheIPList2 pixfirewall(config-network)# description This is my great list 2 pixfirewall(config-network)# network-object host 169.254.1.1 pixfirewall(config-network)# network-object host 169.254.1.2 pixfirewall(config-network)# network-object host 169.254.1.3 pixfirewall(config-network)# exit pixfirewall(config)# pixfirewall(config)# object-group network TheIPList3 pixfirewall(config-network)# description This is my great list 3 pixfirewall(config-network)# group-object TheIPList1 pixfirewall(config-network)# group-object TheIPList2 pixfirewall(config-network)# exit pixfirewall(config)# 

Listing 6.20 shows that the object group TheIPList3 contains references to both the TheIPList1 and TheIPList2 object groups.