防火墙上的object-group命令实际应用
本帖最后由 amao314688 于 2013-4-28 11:51 编辑使用object-group 能大大简化配置工作量,很实用。
防火墙上的配置:
object-group service gjlyd tcp
description used for hai nai guo ji lv you daoserver
port-object eq 445
port-object eq ftp
port-object eq 3389
port-object eq www
port-object eq 8080
port-object eq 1433
object-group network gjlydser
network-object host 10.9.2.66
network-object host 10.9.2.67
network-object host 10.9.2.68
access-list inside permit tcp host 10.2.57.67 object-groupgjlydser object-group gjlyd
access-list inside permit tcp host 10.2.57.151 object-groupgjlydser object-group gjlyd
输出:(看着很爽)
access-list inside line 494 permit tcp host 10.2.57.67object-group gjlydser object-group gjlyd
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.66 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.66 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.66 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.66 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.66 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.66 eq 1433 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.67 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.67 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.67 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.67 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.67 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.67 eq 1433 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.68 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.68 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.68 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.68 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.68 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host10.9.2.68 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151object-group gjlydser object-group gjlyd
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.66 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.66 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.66 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.66 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.66 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.66 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.67 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.67 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.67 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.67 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.67 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.67 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.68 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.68 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.68 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.68 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.68 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host10.9.2.68 eq 1433 (hitcnt=0)
参考:http://blog.sina.com.cn/s/blog_59879e3a0100o5w1.html
Object-Group ASA的Object Group可以将具有相同特性的对象组织起来,这样可以减少ACE的配置的条目,进而减少配置,便于管理。
Object groups can be thought of as a type of macro used within access lists. You can define several different types of object groups, each containing a list of similar values, as follows:( Object Grou的类型有:)
Network object group Contains one or more IP addresses
ICMP object group Contains one or more ICMP types
Protocol object group Contains one or more IP protocols
Service object group Contains one or more UDP or TCP port numbers
在创建Object Group以后,可以在一个ACE中调用,这样可以将ACE的条目缩小为1个;同时,你也可以将一个Object Group嵌套到另外一个Object Group中
语法:
object-group {{protocol | network | icmp-type} grp_id | service grp_id {tcp | udp | tcp-udp}}
object-group ——定义一个对象组
protocol —— 指定IP协议(协议类型1到254),或名称标识,比如TCP、UDP、ICMP、GRP和IGMP;如果想包含所有的IP协议,可以使用关键字IP
network —— 指定host,subnet或网络地址;
icmp-type —— 指定ICMP类型,比如echo、echo-reply已经traceroute;
grp_id —— 自动4层TCP和UDP协议的端口号;
tcp —— 指定一组TCP服务,比如HTTP,FTP,Telnet和SMTP等
udp —— 指定一组UDP服务,比如DNS,TFTP和ISAKMP等
tcp-udp —— 指定一组即使用TCP又使用UDP的服务,比如DNS和Kerberos等
http://hiphotos.baidu.com/bystander1983/pic/item/f2c01aff06d697775d600815.jpg
例:
Firewall(config)# access-list anti_spoof deny ip 10.0.0.0 255.0.0.0 any
Firewall(config)# access-list anti_spoof deny ip 172.16.0.0 255.240.0.0 any
Firewall(config)# access-list anti_spoof deny ip 192.168.0.0 255.255.0.0 any
This could also be configured by referencing a network object group, which would simplify the access list:
Firewall(config)# object-group network rfc1918
Firewall(config-network)# network-object 10.0.0.0 255.0.0.0
Firewall(config-network)# network-object 172.16.0.0 255.240.0.0
Firewall(config-network)# network-object 192.168.0.0 255.255.0.0
Firewall(config-network)# exit
Firewall(config)# access-list anti_spoof deny ip object-group rfc1918 any
{:6_289:} 谢谢分享 {:6_299:} {:6_264:}{:6_264:}{:6_264:}
页:
[1]