ASA的Object Group可以將具有相同特性的對象組織起來,這樣可以減少ACE的配置的條目,進而減少配置,便於管理。
Object groups can be thought of as a type of macro used within access lists. You can define several different types of object groups, each containing a list of similar values, as follows:( Object Grou的類型有:)
Network object group Contains one or more IP addresses
ICMP object group Contains one or more ICMP types
Protocol object group Contains one or more IP protocols
Service object group Contains one or more UDP or TCP port numbers
在創建Object Group以後,可以在一個ACE中調用,這樣可以將ACE的條目縮小爲1個;同時,你也可以將一個Object Group嵌套到另外一個Object Group中
語法:
object-group {{protocol | network | icmp-type} grp_id | service grp_id {tcp | udp | tcp-udp}}
object-group ——定義一個對象組
protocol —— 指定IP協議(協議類型1到254),或名稱標識,比如TCP、UDP、ICMP、GRP和IGMP;如果想包含所有的IP協議,可以使用關鍵字IP
network —— 指定host,subnet或網絡地址;
icmp-type —— 指定ICMP類型,比如echo、echo-reply已經traceroute;
grp_id —— 自動4層TCP和UDP協議的端口號;
tcp —— 指定一組TCP服務,比如HTTP,FTP,Telnet和SMTP等
udp —— 指定一組UDP服務,比如DNS,TFTP和ISAKMP等
tcp-udp —— 指定一組即使用TCP又使用UDP的服務,比如DNS和Kerberos等
例:
Firewall(config)# access-list anti_spoof deny ip 10.0.0.0 255.0.0.0 any
Firewall(config)# access-list anti_spoof deny ip 172.16.0.0 255.240.0.0 any
Firewall(config)# access-list anti_spoof deny ip 192.168.0.0 255.255.0.0 any
This could also be configured by referencing a network object group, which would simplify the access list:
Firewall(config)# object-group network rfc1918
Firewall(config-network)# network-object 10.0.0.0 255.0.0.0
Firewall(config-network)# network-object 172.16.0.0 255.240.0.0
Firewall(config-network)# network-object 192.168.0.0 255.255.0.0
Firewall(config-network)# exit
Firewall(config)# access-list anti_spoof deny ip object-group rfc1918 any
詳細內容參考《Cisco - Cisco ASA and PIX Firewall Handbook(2005).chm》
6-3. Controlling Access with Access Lists