PIX - Object Groups
Standard ACLs are fine for a few hosts and services, in large deployments ACLs can increase exponentially.
Object grouping in ACLs simplifies the configuration.
Grouping PIX objects
- Networks and Hosts
- Protocols
- Services
- ICMP
ICMP Types (can use either name or number)
- 0 : echo-reply
- 3 : destination-unreachable
- 4 : source-quench
- 5 : redirect
- 6 : alternate-address
- 8 : echo
- 9 : router-advertisement
- 10 : router-solicitation
- 11 : time-exceeded
- 12 : parameter-problem
- 13 : timestamp-request
- 14 : timestamp-reply
- 15 : information-request
- 16 : information-reply
- 17 : address-mask-request
- 18 : address-mask-reply
- 31 : conversion-error
- 32 : mobile-redirect
Configure object groups
object-group network DMZ_SERVERS
network-object host 10.0.0.2
network-object host 10.0.0.3
object-group service DMZ_SERVICES tcp-udp
port-object eq http
port-object eq https
object-group protocol ESP_PROTO
protocol-object 50
object-group icmp-type PING
icmp-object echo
icmp-object echo-reply
access-list OUTSIDE permit tcp any object-group DMZ_SERVERS object-group DMZ_SERVICESNested Object Groups
You can group objects into nested groups, the nested group is applied to the ACL, all groups must be of the same type.
object-group network INSIDE_SALES
network-object 10.0.1.0/24
object-group network INSIDE_DEV
network-object 10.0.2.0/24
object-group network INSIDE_NETS
group-object INSIDE_SALES
group-object INSIDE_DEVVerify Object Groups
show object-group
show object-group networkFiltering Java Applets and ActiveX Controls
Block inside hosts from downloading Java code or ActiveX Controls
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0URL Filtering Services
Supports Websense or N2H2
allow keyword allows traffic if the URL filter server is unavailable
url-server (inside) vendor websense host 172.16.10.13 protocol tcp
filter url http 0 0 0 0 allow
filter https 0 0 0 0 allow
filter ftp 0 0 0 0 allow
