当前位置：首页 > article >正文

思科防火墙：ASA中Object-group在ACL中的应用

article 2024/10/8 12:56:56

一、实验拓扑：
6-思科防火墙：ASA中Object-group在ACL中的应用
二、实验要求：
先定义几个小的，然后用大的包在一起；打包在一起，这就是所谓的嵌套，嵌套在编程里是很长用的东西，叫做Object-group；
Object-group比较强大，可以调用普通的object；还可以在组里调用单独的网段、主机。
1、放行Outside（202.100.1.0/24）网络去往内部Inside服务器群：FTP/ESP/DNS/ICMP的流量；
2、比如Outside有4个源主机：202.100.1.1~202.100.1.4，3个目的地；
3、如果正常写ACL，需要一条一条的写，作用：节省很多命令；
4、定义源、目的、服务组；
5、对比show run access-list和show access-list的区别
三、命令部署：
1、定义源object network
ASA(config)# object network yuan1 //network这里其实就是主机的意思
ASA(config-network-object)# host 202.100.1.1

ASA(config-network-object)# object network yuan2
ASA(config-network-object)# subnet 202.100.1.0 255.255.255.0

ASA(config-network-object)# object network yuan3
ASA(config-network-object)# range 202.100.2.10 202.100.2.20

2、定义object-group，将上述打包在一起，还可以单独增加网段、主机：
打包：
ASA(config)# object-group network yuan
ASA(config-network-object-group)# network-object object yuan1
ASA(config-network-object-group)# network-object object yuan2
ASA(config-network-object-group)# network-object object yuan3
单独增加主机、网段：
ASA(config-network-object-group)# network-object 202.10.20.0 255.255.255.0 //单独增加网段
ASA(config-network-object-group)# network-object host 202.10.20.1 //单独增加主机

3、定义object-group network目的
ASA(config)# object-group network mude
ASA(config-network-object-group)# network-object host 10.1.1.1

4、定义object-group service ser：
ASA(config)# object-group service ser
ASA(config-service-object-group)# service-object esp
ASA(config-service-object-group)# service-object icmp
ASA(config-service-object-group)# service-object tcp destination eq ftp
ASA(config-service-object-group)# service-object udp destination eq domain

5、全局调用：
ASA(config)# access-list aa extended permit object-group ser object-group yuan object-group mude
四、验证：
ASA# show run object
object network yuan1
host 202.100.1.1
object network yuan2
subnet 202.100.1.0 255.255.255.0
object network yuan3
range 202.100.2.10 202.100.2.20

ASA# show run object-group
object-group network yuan
network-object object yuan1
network-object object yuan2
network-object object yuan3
network-object 202.10.20.0 255.255.255.0
network-object host 202.10.20.1

ASA# show run access-list //下边就1条
access-list aa extended permit object-group ser object-group yuan object-group mude

ASA# show access-list //下边一堆
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list aa; 32 elements; name hash: 0xdd1304fa
access-list aa line 1 extended permit object-group ser object-group yuan object-group mude 0x2c352a70
access-list aa line 1 extended permit esp host 202.100.1.1 host 10.1.1.1 (hitcnt=0) 0x77cb04ed
access-list aa line 1 extended permit esp 202.100.1.0 255.255.255.0 host 10.1.1.1 (hitcnt=0) 0x260a81b4
access-list aa line 1 extended permit esp 202.100.2.10 255.255.255.254 host 10.1.1.1 (hitcnt=0) 0xaddc4366
access-list aa line 1 extended permit esp 202.100.2.12 255.255.255.252 host 10.1.1.1 (hitcnt=0) 0xaf630f92
access-list aa line 1 extended permit esp 202.100.2.16 255.255.255.252 host 10.1.1.1 (hitcnt=0) 0xd0d3bdd7
access-list aa line 1 extended permit esp host 202.100.2.20 host 10.1.1.1 (hitcnt=0) 0xa8245911
access-list aa line 1 extended permit esp 202.10.20.0 255.255.255.0 host 10.1.1.1 (hitcnt=0) 0x67408de6

转载于:https://blog.51cto.com/13856092/2138581

查看全文

http://www.kler.cn/news/337420.html