ACL object groups

I always thought that there was no need to restrict outbound sessions across a firewall in low-security environments. My last encounter with malware has taught me otherwise; sometimes we need to protect the rest of the Internet from our clumsiness. OK, so I decided to install an inbound access-list on the inside interface of my SOHO router that will block all SMTP traffic not sent to a well-known SMTP server (and let the ISP’s SMTP server deal with relay issues).

This is the point where my laziness kicked in: if I want to add another SMTP server in the future, I wouldn’t like to hack my ACL. I might also need to enter the SMTP server addresses in multiple ACLs and it would be annoying if I would add the server in one ACL but forget all the other related ACLs (because, you know, we don’t really need documentation). Fortunately, IOS release 12.4(20)T provides just the tool I need: the ACL object groups. I can define a group of host addresses and use them as an object in my ACL:

object-group network SMTP_Server
 description ISP SMTP server
 host 192.168.0.2
 host 172.16.2.3
!
ip access-list extended Inside
 permit tcp any object-group SMTP_Server eq smtp
 deny   tcp any any eq smtp log
 permit ip any any
!
interface Vlan1
 ip access-group Inside in

IOS implements network and service object groups. Network object groups can include hosts, IP prefixes or ranges. Service object groups define TCP, UDP or ICMP services (including all ACL options like ranges of ports). You can also nest object groups and define new groups as unions of already defined groups.

5 comments:

  1. This is great. Its nice to see useful things from the PIX world making their way into IOS. This feaure saved me a lot of time when I was administering PIX boxes.

    gary

    ReplyDelete
  2. object groups are nice, however they do not work if you use the object group acl with "line vty access-class in", or with -self- zone based firewalls.

    IOS 12.4(22)T

    ReplyDelete
  3. One more thing about object groups: they are saved in the config file in alphabetical order. This creates some problems when you use nested object groups. Let me explain:

    first, you create an object group called BBB

    object-group network BBB
    host 1.2.3.4

    then you create another object group called AAA, that contains reference to BBB

    object-group network AAA
    group-object BBB

    This works OKAY, however after you save the configuration, you will notice that AAA object group apears first in the configuration file, like this:

    object-group network AAA
    group-object BBB

    object-group network BBB
    host 1.2.3.4


    This is wrong, because during router reboot, the object AAA will be defined before object BBB, thus you will have some errors on the console, and your config will not work as expected...

    ReplyDelete
  4. Then maybe you want to prefix the object-group name with a number, like 1_bbb, 2_aaa.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.