CCNA Security 26

We're now going to look at some ways to use compact ACLs. We do this through object grouping in ASA. Suppose that in the DMZ, we have three servers. These servers are 20.20.20.1-3. Suppose that we have statically translated the servers like this:static (DMZ,OUTSIDE) 10.10.10.1 80 20.20.20.1 netmask 255.255.255.0
static (DMZ,OUTSIDE) 10.10.10.2 80 20.20.20.2 netmask 255.255.255.0
static (DMZ,OUTSIDE) 10.10.10.3 80 20.20.20.3 netmask 255.255.255.0

Now suppose that all the servers provide HTTP, HTTPS and FTP services. To permit all these protocols, we have a hell of an access-list to type:
access-list PERMITSERVICES permit tcp any host 20.20.20.1 eq http
access-list PERMITSERVICES permit tcp any host 20.20.20.1 eq https
access-list PERMITSERVICES permit tcp any host 20.20.20.1 eq ftp
access-list PERMITSERVICES permit tcp any host 20.20.20.2 eq http
access-list PERMITSERVICES permit tcp any host 20.20.20.2 eq https
access-list PERMITSERVICES permit tcp any host 20.20.20.2 eq ftp
access-list PERMITSERVICES permit tcp any host 20.20.20.3 eq http
access-list PERMITSERVICES permit tcp any host 20.20.20.3 eq https
access-list PERMITSERVICES permit tcp any host 20.20.20.3 eq ftp

Now imagine if we can group up all the servers into a single group. In this way, we can simply type:
access-list PERMITSERVICES permit tcp any object-group SERVERS eq http
access-list PERMITSERVICES permit tcp any object-group SERVERS eq https
access-list PERMITSERVICES permit tcp any object-group SERVERS eq ftp

Now we can even do it further by grouping up all the services! We can totally reduce everything into:
access-list PERMITSERVICES permit tcp any object-group SERVERS object-group SERVICES

Objects should be grouped into groups of similar servers or services. For example, web services like HTTP, HTTPS and FTP can be grouped into a single WEBSERVICES group. Business-critical protocols like SQL can be grouped into a single BUSINESSSERVICES group. ASA provides a flexible way of grouping things in which we can group by Protocols, Network, Services and ICMP Type (Echo, Echo-Reply, etc).

The steps to group things is:
1) Designate the type of object-group and name the group
2) Define the members of the object-group
3) Apply the object-group in an ACL

We'll first configure groups in the ASDM. To do this, we'll go to Configuration - Firewall - Objects - Network Objects/Groups.

Whenever you give an IP address to an interface, we have a Network Object referencing the subnet of the entire network that interface is connected to. A Network Object can be either a host or a subnet.

A network object is just another type of object, and a network group is an object-group of the type Network. An object-group comes with a type. The type can be ICMP-Type, Network, Protocol or Service. For example, if we wish to create a group for our three servers, we can simply create a network group like this:
object-group network SERVERS
network-object host 20.20.20.1
network-object host 20.20.20.2
network-object host 20.20.20.3
network-object net_addr 255.255.255.0

We can then group services like this:
object-group service SERVICES tcp
port-object eq http
port-object eq https
port-object eq ftp