Manualshelf

Specifications

ManualsBrandsCisco ManualsHome building and DecorPIX 525
211212213214215216217218219220
13-18
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 13 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
You then nest all three groups together as follows:
hostname(config)# object-group network admin
hostname(config-network)# group-object eng
hostname(config-network)# group-object hr
hostname(config-network)# group-object finance
You only need to specify the admin object group in your ACE as follows:
hostname(config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29
Using Object Groups with an Access List
To use object groups in an access list, replace the normal protocol (protocol), network
(source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with
object-group grp_id parameter.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command,
enter the following command:
hostname(config)# access-list
access_list_name
[line
line_number
] [extended]
{deny |
permit}
{tcp | udp} object-group
nw_grp_id
[object-group
svc_grp_id
]
object-group
nw_grp_id
[object-group
svc_grp_id
] [log [[
level
] [interval
secs
] | disable | default]]
[inactive | time-range
time_range_name
]
You do not have to use object groups for all parameters; for example, you can use an object group for
the source address, but identify the destination address with an address and mask.
The following normal access list that does not use object groups restricts several hosts on the inside
network from accessing several web servers. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside