Thursday, June 18, 2009

Object ACL


There are many types of ACL (Access Control List) like Standard, Extended, Time-Based, Named-Based etc; here I will talk about Object Access Control List (OACL). Object ACL is used to create object of ACL like for thousand of ACL we can create one object and likewise we can have many objects and we can call all those object in one object (Just Like we do in programming). For example we have source01 (Nayyar, Ahmad, Superman) and source02 (Sohail, Akhtar, Mastermind) and we have source03 in which we call both these objects.

According to the topology we have an inside router on which security level is 100 and outside router on which security level is 0 because we have to keep security level high on our inside so that no one from outside can access (as traffic is not allowed by default from low security level to high security level) our router and in the way we have PixFirewall-515 to filter traffic, now make secondary interface on inside and outside router and assign IP address to it, so here we go:

Inside-Router (config) # interface fasethernet 0/0
Inside-Router (config-if) # ip address 192.168.1.3 255.255.255.0 secondary
Inside-Router (config-if) # ip address 192.168.1.4 255.255.255.0 secondary
Inside-Router (config-if) # ip address 192.168.1.5 255.255.255.0 secondary

Outside-Router (config) # interface fasethernet 0/0
Outside-Router (config-if) # ip address 10.1.1.3 255.0.0.0 secondary
Outside-Router (config-if) # ip address 10.1.1.4 255.0.0.0 secondary
Outside-Router (config-if) # ip address 10.1.1.5 255.0.0.0 secondary


Defining Objects-----------------------For Source

PixFirewall-515 (config) # object-group network s1
PixFirewall-515 (config) # network-object host 192.168.1.2
PixFirewall-515 (config) # network-object host 192.168.1.3

PixFirewall-515 (config) # object-group network s2
PixFirewall-515 (config) # network-object host 192.168.1.4
PixFirewall-515 (config) # network-object host 192.168.1.5


Now calling both objects within another object

PixFirewall-515 (config) # object-group network s3
PixFirewall-515 (config) # group s1
PixFirewall-515 (config) # group s2



Defining Objects-------------------For Destination

PixFirewall-515 (config) # object-group network D1
PixFirewall-515 (config) # network-object host 10.1.1.2
PixFirewall-515 (config) # network-object host 10.1.1.3

PixFirewall-515 (config) # object-group network D2
PixFirewall-515 (config) # network-object host 10.1.1.4
PixFirewall-515 (config) # network-object host 10.1.1.5


Access-List to all Objects:

PixFirewall-515 (config) # access-list 105 permit tcp object s1 object D1 eq 23
PixFirewall-515 (config) # access-list 105 permit tcp object s3 object D2 eq www


In the first ACL only members of object s1 is allowed while in second they have
allowed object s3 which itself calls both the s1 and s2 object.

Lest remove 192.168.1.2 from access-list like

PixFirewall-515 (config) # object-group network 1
PixFirewall-515 (config) # no network-object host 192.168.1.2


Now ping outside address using 192.168.1.2 as a source address so it will not ping because it is removed from the object, again add in the group and ping then it will work properly.

PixFirewall-515 (config) # object-group network 1
PixFirewall-515 (config) # network-object host 192.168.1.2


I hope it will be informative.
Cheers

4 comments:

nayyares said...

cool, i like the naming conventions !

any how the concept of treating ACL as object is awesome, it can ease the ACL management.

cheers

Sohail Akhtar said...

Thnx, when i start the blog the name just cross my mind and i keep those name any way that was cool stuff!

& regarding Object ACL so ofcourse it will help alot in case where we have many ACL.........!

Unknown said...

michael kors, hermes, michael kors outlet, converse pas cher, vans pas cher, true religion jeans, michael kors, nike roshe, tn pas cher, michael kors outlet, michael kors outlet, michael kors outlet, north face, nike air max, mulberry, coach outlet, nike air max, ugg boots, nike free run uk, north face, replica handbags, nike air max, sac guess, michael kors outlet, lululemon, true religion jeans, abercrombie and fitch, nike blazer, hollister pas cher, michael kors, new balance pas cher, hogan, oakley pas cher, kate spade handbags, true religion outlet, coach outlet, air force, burberry outlet online, vanessa bruno, ugg boots, timberland, ray ban pas cher, true religion jeans, coach purses, lacoste pas cher, hollister, burberry, ralph lauren uk, ray ban uk, michael kors

Unknown said...

vans shoes, beats by dre, ghd, lancel, herve leger, new balance, ray ban, ralph lauren, abercrombie and fitch, celine handbags, north face outlet, birkin bag, louboutin, chi flat iron, soccer jerseys, nike air max, ferragamo shoes, mont blanc, insanity workout, hollister, jimmy choo shoes, nfl jerseys, soccer shoes, nike huarache, nike air max, nike roshe, wedding dresses, instyler, iphone cases, p90x workout, timberland boots, reebok shoes, mcm handbags, gucci, oakley, hollister, asics running shoes, valentino shoes, longchamp, converse, vans, converse outlet, baseball bats, hollister, north face outlet, bottega veneta, lululemon, babyliss, mac cosmetics, nike trainers