In the nesting of object groups, multiple object groups can be defined. These object groups can be referenced in a parent object group. The parent object group is a collection of child object groups and will be referenced in an access list.
•
Nesting type of object groups:FWSM(config)# oooobbjbbjjjeeeecccctt-tt-g--gggrrorrooouuuupp pp nnenneeettttwwwowooorrkrrk kk ddddeeeepptpptttAAAA FWSM(config-network)# nnenneeettwttwowwooorrkrrk-kk---oooobbbbjjejjeeecctccttt hhohhooosstsst tt 11110000..1..11111.11...11.11.1..1115555 FWSM(config-network)# nnenneeettwttwowwooorrkrrk-kk---oooobbbbjjejjeeecctccttt hhohhooosstsst tt 11110000..1..11111.11...11.11.1..1119999 FWSM(config-network)# ooboobbbjjjjeeceeccctt-tt---ggggrrorrooouupuuppp nnnneeeettwttwowworoorrrkk kk ddddeepeeptpptBttBBB FWSM(config-network)# nnenneeettttwwowwooorrkrrk-kk---oooobbjbbjejjeeecctcct tt hhohhooosstssttt 111100.00.1..11122.22.1..111..8..888 FWSM(config-network)# nnenneeettttwwowwooorrkrrk-kk---oooobbjbbjejjeeecctcct tt hhohhooosstssttt 111100.00.1..11122.22.1..111..2..222 FWSM(config-network)# ooboobbbjjjjeeceeccctt-tt---ggggrrorrooouupuuppp nnnneeeettwttwowworoorrrkk kk ddddeepeeptpptCttCCC FWSM(config-network)# nnenneeettttwwowwooorrkrrk-kk---oooobbjbbjejjeeecctcct tt hhohhooosstssttt 111100.00.1..11133.33.1..111..3..333 FWSM(config)# oooobbjbbjjjeeeecccctt-tt-g--gggrrorrooouuuupp pp nnenneeettttwwwowooorrkrrk kk UUUUSSSSEEREERRRSSSS FWSM(config-network)# gggrgrrroooouupuup-pp-o--ooobbbbjjejjeeecctccttt ddeddeeepptpptttAAAA FWSM(config-network)# gggrgrrroooouupuup-pp-o--ooobbbbjjejjeeecctccttt ddeddeeepptpptttBBBB FWSM(config-network)# gggrgrrroooouupuup-pp-o--ooobbbbjjejjeeecctccttt ddeddeeepptpptttCCCC
Object group definition in ACE:
FWSM(config)# aacaaccccccceeeessssssss--l--lillisiissstt tt AAAACCLCCL_LL_I__INIINNN eeexextxxttteeneendnndddeedeed dd ppppeeeerrmrrmmmiitiit tt iipiippp ooboobbbjjjjeeceectccttt--g--grggrrroouoouuupp pp UUUUSSSSEEREERSRRSSS hhohhooosstssttt 1
1 1
Configuring Object Groups and Access Lists 131
Working with EtherType
In transparent mode, you can have EtherType classification grouped in an object group and referenced in an access list.
•
EtherType access list example:FWSM(config)# aacaaccccccceeeessssssss--l--llliisiissstttt EEEETTHTTHHHEEEERRRR eeteettthhehheeerrrrttyttyyyppeppeee ppeppeerermrrmmmiitiit tt iipiipppxxxx FWSM(config)# aaaacccccccceeseesssssss--l--llliisiissstttt EEEETTHTTHHHEEEERRRR eeteethtthehheeerrrrttyttypyypeppeee ppppeereermrrmmmiitiittt bbpbbpppddudduuu
FWSM(config)# aaaacccccccceeeessssssss--l--lillisiissstt tt EEEETTHTTHHHEEEERR RR eeteettthhehheeerrrrttyttypyypeppeee ppppeeeerrmrrmmmiitiittt mmpmmplpplsllsss----uuuunninniciicccaasaassstttt FWSM(config)# aacaaccccccceeeessssssss--l--llliisiistssttt nnnnoonoonnInIIIPPPP eeteethtthehheeerrrrttyttypyypeppeee ddddeeneenynnyyy 1111225225655666 ****
FWSM(config)# aaacaccccccceeeessssssss--g--gggrrorrooouuuupp pp EETEETTTHHHHEEEERRRR iiinin nn iiiinntnntettereerrrffffaacaacccee ee iiniinsnnsssiidiidddeeee
* The EtherType access list denies EtherType 0x1256.
NOTE When allowing mpls-unicast through transparent Layer 2 firewalls on the policy feature card (PFC), the command that needs to be enabled is
PFC(config)# mmmpmpppllslls ss llllddpddp pp rrrroouooutuutetteeerrrr--i--idiiddd iiniintnntetteeerrrrffaffacaacceceee ffofforoorrrcccceeee or
PFC(config)# ttttaaaagg-gg---sswsswwwiitiitttcccchhihhiniingnnggg ttttddpddppp rrrroouooutuutetteeerrrr--i--iiidd dd iiniintnnttteeeerrfrrfaffaaacccceeee ffoffooorrrrccecceee
•
The following is an example of applying inbound or outbound access lists: The traffic flow control with access lists can be done in two ways on an interface: inbound control or outbound control. Inbound control provides control on the traffic entering the interface, and the outbound control provides control on the traffic leaving the interface to the next hop device. You can use inbound and outbound directions to control the flow of traffic with access lists. This mainly depends on the security policy. If the security policy can be complied with one direction of access lists in all interfaces, the other direction (inbound or outbound) can have a permit ip any any statement.In Example 8-1, the inbound access list is allowed with permit ip any any and the outbound access list has a specific network based on the security policy that is allowed to traverse the network.
Example 8-1 Shows Inbound Access List with permit ip any any
ContextA(config)# aacaacccccecceseesssss-ss---llillisiissstttt IINIIN NN eeeexxxxttetteeenndnndddeeeedddd ppeppeeerrmrrmmmiiiitt tt iipiippp aaaannynny yy aanaannnyyyy ContextA(config)# aacaacccccecceseesssss-ss---ggrggrrroooouuuupp pp IIIINN NN iiiinn nn iiniinnntttteereerrrffaffaaacceccee e iiniinnnssissiiiddddeeee ContextA(config)# aacaacccccecceseesssss-ss---ggrggrrroooouuuupp pp IIIINN NN iiiinn nn iiniinnntttteereerrrffaffaaaccecceee oouoouuuttsttsssiiiiddddeeee
Example 8-2 shows the outbound access list in the inside and the outside interfaces to have configuration of the security policy (allowing only specific subnets).
The direction to have a specific allow statement depends on the security zone. In Example 8-2, the access list is applied to the inside security zone. This is the most secured domain among other interfaces. Incoming traffic is trusted and allows any traffic to pass through. The outbound traffic is made specific.
In the outside interface, the inbound access list must be specific and granular, and the outbound access list in the outside interface can permit traffic to flow out of the outside interface. The access list and the direction of applying the list depend on the security policy. For no reason should optimization of access list security policy rules be compromised.
Summary
This chapter covers types of access lists. There are three main types of access lists in FWSM: standard, extended, and EtherType. ACE is a component that defines the access list in hardware. It is important to understand ACE for resource management of access lists and rules. Object grouping helps define and structure the security policy into objects that can be reused in the access lists. This makes the security policy in the firewall easy to understand, for future integration of new policies or rules.
Example 8-2 Outbound Access List in the Inside and Outside Interfaces
ContextA(config)# aacaaccccccceeseesssssss----llillisiissstt tt OOOUOUTUUTTT--I--InIInnnssissidiiddede ee eeeexxtxxtteteneennnddeddedeeddd ppeppereermrrmmmiiiitt tt ttttccpccp pp 11011000..1..111....11.11.1..111 0000..0..0.00...00.00.2..22255555555 aanaannnyy yy ContextA(config)# aacaacccccecceeessssssss----ggrggrrroouoouuupppp OOUOOUUUTT-TT---IIIInnsnnsssiidiideddeee iiiinn nn iiniinnntttteereerrrffaffaacacccee ee iiniinsnnsssiiiiddddeeee ContextA(config)# aacaacccccecceeessssssss--l--lilliiisssstt tt OOOOUUTUUT-TT--O-OOOuuuuttsttsssiiiiddeddeee eeeexxtxxttteeeennnnddeddedeeddd ppeppeeerrmrrmmmiitiittt ttttccpccp pp aaaannnnyy yy hhhhoosoossstt tt 2222001001.11...1111..1..1.11...11 11 eee eqqqq wwwwwwwwwwww ContextA(config)# aacaacccccecceeessssss-ss---ggrggrrroooouupuupp p OOUOOUUUTTTT__O__OOOuutuutttssssiidiiddede ee iiniinnn iiniinnnttetteeerrrrffaffaaaccecceee oooouutuutsttsssiidiidddeeee