object-group
- network (host IPs or subnets)
- service (tcp / udp ports)
- icmp
- protocol
network-object host 10.10.10.1
network-object host 10.10.10.2
network-object host 10.10.10.3
network-object host 10.10.10.4
object-group service Standard_Internet_Ports
port-object eq 80 (user service-object 80 in later code)
port-object eq 443
port-object eq 53
port-object eq 25
port-object eq 110
access-list INSIDE_ACL permit tcp object-group Internet_Access_Hosts any object-group
Standard_Internet_Ports
access-list INSIDE_ACL permit udp object-group Internet_Access_Hosts any object-group Standard_Internet_Ports
sh access-list INSIDE_ACL
============================================================
an example from 8.2 code
object-group service DMZ_PORTS_ALLOWED_OUT
service-object tcp eq 80
service-object tcp eq 443
service-object tcp eq 22
service-object tcp eq 53
object-group network DMZ_HOSTS_ALLOWED_OUT
network-object network 10.10.10.1 255.255.255.255
network-object network 10.10.10.2 255.255.255.255
access-list DMZ_OUT permit object-group DMZ_PORTS_ALLOWED_OUT object-group DMZ_HOSTS_ALLOWED_OUT any
an example from later code version (8.6)
object-group service DMZ_PORTS_ALLOWED_OUT tcp-udp
port-object eq www
port-object eq 443
port-object eq 22
port-object eq domain
object-group network DMZ_HOSTS_ALLOWED_OUT
network-object host 10.10.10.1
network-object host 10.10.10.2
access-list DMZ_OUT extended permit tcp object-group DMZ_HOSTS_ALLOWED_OUT any object-group DMZ_PORTS_ALLOWED_OUT
access-list DMZ_OUT extended permit udp object-group DMZ_HOSTS_ALLOWED_OUT any object-group DMZ_PORTS_ALLOWED_OUT
No comments:
Post a Comment