Sunday, October 25, 2015

Network and Service Object/Object Groups in ASA


 Network objects or object groups and service object or object groups are used for maintain and manage IPs and services more meaningful and easy way. Object can hold only one information related to ip or service and object group can hold many.

Network Objects


1. Create object with a meaningful object name using “object network” command. OBJ1 is given as       object name in given examples.
    hostname(config)# object network OBJ1

2. Give a meaningful description about the object. (optional)
    hostname (config-network-object)# description Engineering Network

3. Set ip details as required. Ip details can configure in four ways
    Note- you can only configure one line here
  •  as a single ip – use host command with a ip address                                                         
           hostname (config-network-object)# host 10.2.2.2
 or
  • as a network – use subnet command with network address and subnetmask                   
          hostname (config-network-object)# subnet  10.0.0.0 255.0.0.0
or
  • as a range of ip – use range command with first ip and last ip                                     
          hostname(config-network-object)# range 10.0.0.1 10.0.0.255 
or
  • as a FQDN – use fqdn command with full qualified domain name                                 
          hostname(config-network-object)# fqdn  ittipslk.blogspot.com


Network Object Groups


1. Use object-group network command with meaningful name. GRP1 is given as name in given               example.
    hostname (config)# object-group network GRP1

2. Give a meaningful description about the object. (optional)
    hostname (config-network)# description Administrator Addresses

3. Set ip details as required
Note- you can configure one or many lines here 
  • Set ip single ip detail using network-object host commad with the ip address    
          hostname(config-network)#network-object host 10.2.2.4     
          hostname(config-network)#network-object host 10.2.2.5
  • Set a previously created object inside object group using group-object command with object name 
          hostname(config-network)# group-object OBJ1

Service Objects



1. Create object with a meaningful object name using “object service” command. SER1 is given as         object name in given examples.
    hostname(config)# object service SER1

2. Set the service as required. You can use tcp/udp/icmp/icmp6 as protocols and eq/neq/lt/gt/range to     set port ranges
    Note- you can only configure one line here.

    examples...
  • Set source port greater than or equal tcp/6785 and destination tcp/ssh   
          hostname(config-service-object)# service tcp source gt 6785 destination eq ssh 
or
  • set destination ports from udp/53 to udp/63           
          hostname(config-service-object)# service udp destination range 53 63
or
  • set icmp packet type 3 and code 1
          hostname(config-service-object)# service icmp 3 1


Service Object Group


1. Use object-group service command with meaningful name. GRP2 is given as name in given                 example.
    hostname(config)# object-group service GRP2

2. Give a meaningful description about the object. (optional)
    hostname(config-service-object-group)# description  Test ports

3. Set port details as required. You can use tcp/udp/tcp-udp as protocols and eq/neq/lt/gt/range to             set port ranges
    Note- you can configure one or many lines here
  • Set source port greater than or equal tcp/1000 and destination tcp/ftp 
          hostname(config-service-object-group)# service-object source tcp gt 1000 destination tcp eq ftp
  • Set destination ports  tcp/53 and udp/53        
          hostname(config-service-object-group)# service-object destination tcp-udp eq 53
  • set source ports from tcp/50 to tcp/100     
          hostname(config-service-object-group)# service-object source tcp range 50 100
  • The following example shows how to add an object to a service object group     
          hostname(config-service-object-group)# service-object object WEB








No comments:

Post a Comment