Cisco CCIE Security 350-701- ASA ACLs – Object Groups Part 2

4. ACL Object Groups

In object groups. Now object groups is a method of grouping similar items together to minimize the number of access control entries. Now in general in the previous example we have seen some ACLs like if you take an example you have a very big environment where you need to write down plenty of its access control rules. Now the number of access control entries you are going to write, it goes going to increase depending upon the number of servers we have, the number of source and destination addresses we have. Just like if you take an example here I got some multiple servers. Let’s say there are three servers, 2212 and this one, these three servers. So in these three servers are hosting three different services let’s say. So maybe you’re hosting some three services.

So overall three servers hosting three different services, probably around nine. And I want to make sure that the user sitting in the land should not be able to access these selected servers or the services in general. Maybe you want to deny the traffic or maybe you want to allow the users, maybe there’s a DMZ and you want the user sitting on routes and network to permit to access these servers. So if you go with the normal ACL entries, it’s going to increase the number of access control entries. Because if you just go with the normal ACLs in my case, let’s say I want to deny the user sitting in my land from the land I want to deny the user from accessing this service probably deride it in a statement from source. Maybe my land, it can be just one dot network or just a ten dot network here.

So this is actually one dot, one dot, one network from this source and they need to write down to go to this destination and these are the services. So write down the three services and likewise we need to define the same thing, the user sitting in my lamb, the source going to this server and all these three services. So likewise the same thing from the same source from a different destination. Of course the services are same. Now the number of access control entries and finally you need to say permit IPNE and then apply it on the interface. Now the number of access control entries will automatically increase with the normal ACLs. Now what we can do is we can actually group them. Now before we discuss about the grouping, let’s see what are the actual drawbacks with the normal entries.

Like if I’m riding nine entries as per my example, then it’s going to increase the number of entries. So overall entries will increase depending upon the number of destinations we have and the number of services we have. Also it will increase unnecessary crossing overhead and adds delay. Because let’s say if I’m saying permit IP nene and when the traffic hits our interface where the AC is applied it’s going to check all the entries. And finally it has to permit the traffic. And finally, let’s say I’m saying deny, deny, denied and then permit IPNE. So each and every time the traffic is being permitted, it has to go through with all these lines, check them and then finally permit the traffic because the ACL works in a sequential order. So the more number of entries we have, the more delayed is going to add because they actually work in a sequential order.

And also it will increase unnecessary CPU resources on the ASA or on the routers generally depending upon the number of entries we write. And again, let’s say if you want to modify the existing lines again, it’s going to make much complicated first, because let’s say I want to remove any one of this line. Then we need to copy paste, we need to use some kind of sequence numbers and figure out this line comes in a V sequence number and then remove it. Or maybe you want to modify this existing statement again, like maybe you change the server destination address or maybe the services may change, it becomes a little bit difficult to modify the existing ACLs. So it’s not really easy to add or modify, it’s not easy to add or modify the existing ACL rules.

And also if you have too many entries, especially it is not scalable because if you have plenty of servers and plenty of sources and destinations, it’s not an easy job to do all these things. So ASF supports something like object groups. In the object groups, what we will do is we are going to combine a multiple servers into one group and that’s what we call as object groups. Like in this example, what we’ll do is we’ll create one group and in that group I’m going to mention all the servers because according to my example, let’s say this is my source from here and it is just into these three servers. So I’m going to create one group of servers and I’m going to define them inside one group. So we call them as objects and then I’ll create another group and group of services because here I’m hosting three different services, maybe FTB here.

So these services so I’ll be creating two object groups. One identifies my destination, of course, one identifies the selected services, what I want to restrict and you can also have a separate source. If you have multiple sources here, then you can also create another group which matches the sources. So here we just have only one source. So I don’t need to create an object group. And then we simply say write an ECL which tells that if the traffic is coming from source from a land, let’s say a ten or network or one or network whatever network we are using. And if the destination is, let’s say the group one, if the destination is group one, which means if it is just into any one of these destinations and if the service is going to group two, which means this is group two, any one of these services I can simply say deny.

So which means in one line statement I’m going to define if the traffic is coming from this source going to any one of these destinations in the group, to any one of the services in the group, simply say deny and then we say Farmate IB, Nene. So we can combine all these statements into one group, which makes much easier for us to add the ISIL statements at the same time reduce the number of entries we need to write down. Because here we just write only two entries instead of writing ten entries in the previous example. So here we create an object groups where we don’t write individual IP addresses because we group all those addresses into one group protocols and ports.

Also we can group into one group. So this feature is supported in most of the ASA firewalls starting from fixed versions in the older versions, this feature is also supported in some of the new iOS versions. Some of the twelve four Ibz versions supports in the routers, even most of the 15 I was versions also support that. Now the main advantage is reduce the number of entries. We don’t need to write too many entries like we did in the earlier. Without object groups it’s easy to configure and makes ACL much smaller, more readable and also easy to configure at the same time. If in future, if you want to add any new servers, like maybe you want to add one more server, you just need to add the group in the group.

You don’t need to modify the ACL. And let’s say you are removing any of the servers or you’re changing any of the servers. You just need to modify the object group. No need to modify the ACL. So makes modifications or changing the services it’s much easier and makes it easier to update the ACLs if any IP change. That’s what I just discussed. So that’s what object groups helps us. So most of the advanced ACL scenarios will be using object groups. Now we can create four different types of object groups. Most commonly we use networks network object group which matches a specific source, network source or destination, maybe a network. We can match a specific network or specific host or a group of host hosting the services and the other one is services. Because we may want to allow or deny specific services, we can simply say services.

We can also match protocols like TCP UDP combinations, but mostly we don’t. We may have some requirement with the protocols. You may not want to filter all the protocols, but still you can say match TCP UDP, both protocols at the same time in one object group even we can match some ICMP tag messages. So here I got some examples here in the configuration wise. Like if you are going with a protocol based object group then we will be matching either TCP or UDP protocols. We create a object group protocol and then we need to define which protocols you want to match in one group. So likewise if you want to match specific networks then we can define a single host. You can see the range of host or you can even specify the network ID in the subnet mask to match the specific host specific networks in general. So likewise, we can also match specific specific protocols or specific protocols in general multiple protocols in one object group. We can also match ICMP type.

5. ACL Object Groups – LAB

Okay, the next thing we’ll see the as ACL configuration with object groups. So I got my ASA connecting to my inside interface, assuming this is my LAN, and the router One is having one loop back on the router One, which is simulating my host in the LAN. And then I’m connecting a router Two which is simulating my outside network. And on the router Two, I have created some three loop pack interfaces. The three loopback will simulate as if I’m using some three servers. So let me just quickly show you the basic setup what I already did. So in all the routers I do have a pre configured loop packs which are acting as my service. And then I do have a default group of course, to provide some end to end reachability on the router One as well as on the router two, I can see a default route.

And also on the router one, I got one loop back interface which is simulating my local user network on the router one. Now, what we want is we want to make sure that configure the ACL with an object groups where you want to deny. So assume that these three servers are hosting three different services like http, FTP and Tenant. Tenant is not a specific service, but for testing purpose, I’m using a tenant option here, but it can be any other services like maybe DFTP server or maybe any other service. Likewise, assume that these are the three services which we want to host and they are hosted on three different devices. So my requirement is I want to make sure that the user sitting in my land the default security level is 100. By default, the traffic is actually Eloid from 100 to zero.

As for the default security policies, so what I want to do is I want to deny the users accessing specific services. So you can take an example in either way from land to Internet. Or maybe you can also use similar example where probably next later on lapse, you can also assume that this is a DMZ and maybe the user is sitting on the outside network and you want to allow the users to access this. But at this point of time, I’m not using any DMZ zone here. So from inside to outside default it is permitted. We want to deny. So if I go with the normal ACLs, I need to write too many entries as I discussed in the previous sessions. So I don’t want to write that many entries like I did here.

So I want to confirm by using object groups. So the first step is we need to create an object group. Now to create object group, there are three servers. So we need to create one object group network which matches the three servers, one, two, three in one object group. And we can do some name. I’m using the name as host CCNP. And then we need to create another object group which matches the services. So we create another object group service which matches the three services. As it is a TCP based protocol, all the three services or TCP based, we can match them by using an option of TCP. And then I’m saying if a user, if the traffic is coming from any source, any source means it can be from this source or any source coming from this site, and if it is destined to this, any one of the service, if this is my destination, that’s what I’m saying.

So this is my source, this is my destination, and if it is equal to any of the services, so services, any one of these services, I’m saying deny the traffic and rest of the traffic should be permitted. And then I’m applying on the inbound interface of my inside. So fun, fascination wise, it’s not very lengthy configuration. So what I’ll do is we’ll verify the configuration, we’ll move to the ASA. I’m into my ASA command line and already here I do have some routes, so to provide some interreachability. So make sure that from the ASA you do have reachability to these three routes, which means I must have a static route for two dot network on the outside interface, as well as I need to have a static route for twelve dot network.

So it’s a route outside twelve dot network, I’ll just keep it slash eight subnet mask and then the next stop is the router. So the next thing is we need to make sure that we do have HBT from here to this specific service. And I’ll go to router one and I’ll try to see. So make sure that you have enabled inspections. So I must have reachable if I’m not having reachability. So most likely the ASA do not know or maybe ICMP. Inspection is not enabled. So I’ll try to turn it, let me try to turn it to two two, yeah, it’s possible, which means we do have reachability, but the only difference is I see the inspection is not enabled, so we don’t need here for testing purpose. Probably normally you can turn it to any of the device, by default, you can also turn it to one one. Likewise, I can also turn it to two L zero two one.

Another look back on the router. Now by default the traffic is permitted from the land to this one, but I want to deny it. So for testing wise, we use ternet because we don’t have any Http or FTP services here. So the first step will go to ASA and we’ll create an object groups and the object group commands. Just need to remember the beginning of the commands, object typing groups and you need to define what type of object group you want to create. So here we need two object groups. One is for network type, the other one is service one. The first will say network define what are those addresses? Network I’m using host CCMP so I’ll try to use the same name here and then we to define what are the addresses, these three addresses you want to match.

So when you define the network object network object either we can define a specific network or a specific host. So in my case it is a specific host. So we say two two and then 1011 and two one. Likewise we need to create another object group which matches the specific services. Here we need to say object group and then this time it’s going to be the service. We can do any name like I’m using service TCNP. So if you are matching a combination of TCP UDP we can use TCP UDP combinations or specific to TCP or UDP. So in my case all the three services what I’m using, they match the TCP protocol. So we’ll say port object, the command starts with port object and then we can do either an equal to operator or we can use the range of quote numbers to match.

So in my case I’m specifically going with the specific protocol names Http and also equal to tenant. Now once we created the object group, the next thing is we need to use an is write down the ACL nor the access list, we can give any name of the access list, let’s say CCNP. And in my case I want to deny if the traffic is based on TCP coming from any source. So coming from any source here if it is going to any one of the destinations. So which means the destination I’m going to refer to my object group instead of going to refer to object group. And the name of the object group is just into host CCMP which means it is going to match any one of these destinations. And then another object group refers to another object group, another object group is going to be my service CCMP. Okay? So I’m going to deny and rest of the traffic should be permitted.

So we need to make sure that we are writing permit IP any any to arrow all the remaining traffic. And then we need to apply this on the inbound interface because the traffic is going from inside offsite, so inbound on the inside interface, so access to CCMP and then we need to say inbound on the interface inside. Done. So now for testing wise. Now previously I was able to tell net from the router one to any of these things, but now the tenant should be denied because we configure an ACL to deny the internet traffic. Of course Http FTP is also denied but we cannot test that. So I go to router one last time I was trying to turn it, it was working but now if I try to turn it to the specific host it’s been denied and even if I try to turn it to two two it has been denied. But let’s say if I go to my router two and if I try to create another loop back three, let’s say three one.

So I’m going to add 2312-552-5525 and then I’ll try to turn it to the new loadbag which I just created t one. It should work because we did not configure any statement here which matches twelve 00:13 one. So in future if you want to add a new statement to this you just need to go and add ad here. So it will it will automatically deny verification wise, this is something how we can do it. If you have any specific services or service we can test it out based on that. But net ICMP is the best option to test it out. You can use some difference in scenarios like you can host this service in the DMZ and maybe you can also assume this is my outside network and by default on the DMZ we view a security level of 50 in our basic lapse. And then here it is going to be zero by default. Traffic is you’re not allowed you may want to permit so probably you can try some examples with some different combinations and different rules to see how it works.