Here's a link about Cisco ASA Objects. I needed to "harden" our SIP connection to an external SIP gateway in the Internet. So instead of configuring multiple ACL entries, I configured Network and Service Objects on the Cisco ASA Firewall.
ciscoassa# configure terminal
ciscoassa(config)# object-group network SIP-EXTERNAL
ciscoassa(config-network-object-group)# network-object ?
network-object-group mode commands/options:
Hostname or A.B.C.D Enter an IPv4 network address
Hostname/<0-128> or X:X:X:X::X/<0-128> Enter an IPv6 prefix
host Enter this keyword to specify a
single host object
object Enter this keyword to specify a
network object
ciscoassa(config-network-object-group)# network-object host 208.7.8.1
ciscoassa(config-network-object-group)# network-object host 208.7.8.2
ciscoassa(config)# object-group network SIP-INTERNAL
ciscoassa(config-network-object-group)# network-object host 192.168.1.6
ciscoassa(config-network-object-group)# network-object host 192.168.1.7
ciscoassa(config)# object-group service SIP-PROTOCOLS
ciscoassa(config-service-object-group)# service-object ?
dual-service-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Enter this keyword to specify a service object
ospf
pcp
pim
pptp
sctp
snp
tcp
tcp-udp Both TCP & UDP
udp
ciscoassa(config-service-object-group)# service-object udp ?
dual-service-object-group mode commands/options:
destination Keyword to specify destination
source Keyword to specify source
<cr>
dual-service-object-group mode commands/options:
<0-65535> Enter port number (0 - 65535)
biff
bootpc
bootps
cifs
discard
dnsix
domain
echo
http
isakmp
kerberos
mobile-ip
nameserver
netbios-dgm
netbios-ns
nfs
ntp
pcanywhere-status
pim-auto-rp
radius
radius-acct
rip
secureid-udp
sip
snmp
snmptrap
sunrpc
syslog
tacacs
talk
tftp
time
vxlan
who
www
xdmcp
ciscoassa(config-service-object-group)# service-object udp destination ?
dual-service-object-group mode commands/options:
eq Port equal to operator
gt Port greater than operator
lt Port less than operator
neq Port not equal to operator
range Port range operator
ciscoassa(config-service-object-group)# service-object udp destination eq 5060
ciscoassa(config-service-object-group)# service-object tcp destination eq 5060
ciscoassa(config-service-object-group)# service-object udp destination range 5000 60000
ciscoassa(config)# show object
object-group network SIP-EXTERNAL
network-object host 208.7.8.1
network-object host 208.7.8.2
object-group service SIP-PROTOCOLS
service-object udp destination eq sip
service-object tcp destination eq sip
service-object udp destination range 5000 60000
object-group network SIP-INTERNAL
network-object host 192.168.1.6
network-object host 192.168.1.7
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group ?
configure mode commands/options:
WORD Service or protocol object-group name
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS ?
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user Keyword to specify user object-group for source
security-group Keyword to specify inline security-group
user Keyword to specify user for source
user-group Keyword to specify user-group for source
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL ?
configure mode commands/options:
A.B.C.D Destination IP address
X:X:X:X::X/<0-128> Destination IPv6 address/prefix
any Abbreviation for destination address/mask of
0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4 Abbreviation for destination address and mask of
0.0.0.0 0.0.0.0
any6 Abbreviation for destination prefix ::/0
host Use this keyword to configure destination host
interface Use interface address as destination address
object Keyword to enter destination object name
object-group Network object-group for destination address
object-group-security Keyword to specify security object-group for
destination
security-group Keyword to specify inline security-group
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL // ONLY A SINGLE ACE
ciscoassa(config)# show run access-list
access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL
ciscoassa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list SIP-OUTSIDE-IN line 1 extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL (hitcnt=0) 0xc506ba7b
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0xa581f8ec
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0xe8109d83
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0xcd331db8
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x401975dd
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0x22d073e8
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0x08a4966a
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0x9747ecca
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x41479753
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0x98df0f49
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x3542d660
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0xcbde7f33
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x2b5bdc5b
ciscoassa(config)# object-group network SIP-EXTERNAL
ciscoassa(config-network-object-group)# network-object ?
network-object-group mode commands/options:
Hostname or A.B.C.D Enter an IPv4 network address
Hostname/<0-128> or X:X:X:X::X/<0-128> Enter an IPv6 prefix
host Enter this keyword to specify a
single host object
object Enter this keyword to specify a
network object
ciscoassa(config-network-object-group)# network-object host 208.7.8.1
ciscoassa(config-network-object-group)# network-object host 208.7.8.2
ciscoassa(config)# object-group network SIP-INTERNAL
ciscoassa(config-network-object-group)# network-object host 192.168.1.6
ciscoassa(config-network-object-group)# network-object host 192.168.1.7
ciscoassa(config)# object-group service SIP-PROTOCOLS
ciscoassa(config-service-object-group)# service-object ?
dual-service-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Enter this keyword to specify a service object
ospf
pcp
pim
pptp
sctp
snp
tcp
tcp-udp Both TCP & UDP
udp
ciscoassa(config-service-object-group)# service-object udp ?
dual-service-object-group mode commands/options:
destination Keyword to specify destination
source Keyword to specify source
<cr>
dual-service-object-group mode commands/options:
<0-65535> Enter port number (0 - 65535)
biff
bootpc
bootps
cifs
discard
dnsix
domain
echo
http
isakmp
kerberos
mobile-ip
nameserver
netbios-dgm
netbios-ns
nfs
ntp
pcanywhere-status
pim-auto-rp
radius
radius-acct
rip
secureid-udp
sip
snmp
snmptrap
sunrpc
syslog
tacacs
talk
tftp
time
vxlan
who
www
xdmcp
ciscoassa(config-service-object-group)# service-object udp destination ?
dual-service-object-group mode commands/options:
eq Port equal to operator
gt Port greater than operator
lt Port less than operator
neq Port not equal to operator
range Port range operator
ciscoassa(config-service-object-group)# service-object udp destination eq 5060
ciscoassa(config-service-object-group)# service-object tcp destination eq 5060
ciscoassa(config-service-object-group)# service-object udp destination range 5000 60000
ciscoassa(config)# show object
object-group network SIP-EXTERNAL
network-object host 208.7.8.1
network-object host 208.7.8.2
object-group service SIP-PROTOCOLS
service-object udp destination eq sip
service-object tcp destination eq sip
service-object udp destination range 5000 60000
object-group network SIP-INTERNAL
network-object host 192.168.1.6
network-object host 192.168.1.7
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group ?
configure mode commands/options:
WORD Service or protocol object-group name
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS ?
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-security Keyword to specify security object-group for source
object-group-user Keyword to specify user object-group for source
security-group Keyword to specify inline security-group
user Keyword to specify user for source
user-group Keyword to specify user-group for source
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL ?
configure mode commands/options:
A.B.C.D Destination IP address
X:X:X:X::X/<0-128> Destination IPv6 address/prefix
any Abbreviation for destination address/mask of
0.0.0.0/0.0.0.0 OR destination prefix ::/0
any4 Abbreviation for destination address and mask of
0.0.0.0 0.0.0.0
any6 Abbreviation for destination prefix ::/0
host Use this keyword to configure destination host
interface Use interface address as destination address
object Keyword to enter destination object name
object-group Network object-group for destination address
object-group-security Keyword to specify security object-group for
destination
security-group Keyword to specify inline security-group
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL // ONLY A SINGLE ACE
ciscoassa(config)# show run access-list
access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL
ciscoassa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list SIP-OUTSIDE-IN line 1 extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL (hitcnt=0) 0xc506ba7b
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0xa581f8ec
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0xe8109d83
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0xcd331db8
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x401975dd
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0x22d073e8
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0x08a4966a
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0x9747ecca
access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x41479753
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0x98df0f49
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x3542d660
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0xcbde7f33
access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x2b5bdc5b
No comments:
Post a Comment