CSM service-object groups.
Hello,
I have a question. I'd like to maintain an ehanced service object group. When I create a service-object, it splits the service-object
into
sobjname.tcp
and then
sobjname.udp
But it doesn't tell you its going to do this until you deploy ( very annoying ).
How can I create an enhanced service-object group with the protocol & port objects. I have both CSM 3.3. and 4.1.
Also is there an UNDO command that I don't know about when modifying (cutting and pasting access rules around in CSM).?
Thanks!
-M-
Hello Bobby,
The object-groups look good,
The way to use them will be with ACLs so config looks cleanear and smaller,
Regards,
Julio Carvajal
Similar Messages
-
Implementing "object-group service"
Running 8.2(3) on an ASA 5510
I have created the two following object groups.
object-group service gatewayTCP tcp
port-object eq 88
port-object eq 135
port-object eq 445
port-object eq ldaps
port-object eq 3268
port-object eq 3269
object-group service gatewayTCP-UDP tcp-udp
port-object eq domain
port-object eq 389
port-object eq 464
port-object range 49152 65535
I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly?
access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP
access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP
Is this a bug with service object groups? Is there some place I need to enable this feature?Hi,
Have you tried configuring it like this
object-group service GATEWAY-SERVICES
service-object tcp eq 88
service-object tcp eq 135
service-object tcp eq 445
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp eq 53
service-object udp eq 53
service-object tcp eq 389
service-object udp eq 389
service-object tcp eq 464
service-object udp eq 464
service-object tcp range 49152 65535
service-object udp eq 49152 65535
access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
- Jouni -
Hello Guys,
my question is do below access-lists operate the same way? I am confused about source and destination ports in object-group based acl.
ip access-list extended 101
deny tcp any any eq bgp
deny tcp any eq bgp any
deny tcp any any eq ftp
deny tcp any eq ftp any
service object group services
tcp eq bgp
tcp eq ftp
ip access-list extended 101
deny object-group service any any
Following question is if the purpose is to deny any traffic where source port is bgp (e.g. deny any eq bgp any), how it can be configured using object group service.
Thanks in advance
RegardsHi,
Have you tried configuring it like this
object-group service GATEWAY-SERVICES
service-object tcp eq 88
service-object tcp eq 135
service-object tcp eq 445
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp eq 53
service-object udp eq 53
service-object tcp eq 389
service-object udp eq 389
service-object tcp eq 464
service-object udp eq 464
service-object tcp range 49152 65535
service-object udp eq 49152 65535
access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
- Jouni -
SNAT to single host using object-group service
Hi, I have a single host that I want to static nat a number of services to. I want to use service object groups to simplify commands. I guess the beginnig is:
object-group service OG-SERVICES-INSIDE-MYSERVER
service-object tcp destination eq ftp
service-object tcp-udp destination eq www
service-object tcp destination eq 1723
object network NETWORK_OBJ_INSIDE-MYSERVER
host 192.168.1.100
How would the NAT configuration be?Hi Samuel,
I think object NAT does not allow us to use service object-group.
In order to achieve your requirement we need to create network object per static nat per service.
This is because there can be only one nat statement per network object.
Hope this helps.
Thanks,
Rishabh -
I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.
Going off these posts:
- http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
- http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html
Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
What am I doing wrong?
Thanks in advance for any help.Hi Adam!
You are doing it right, you are just missing on little keyword.
The line should be as this:
access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any
or you could specify the subnetmask as:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any
Regards -
ASR 1002 ACL object-group for ZBFW
Hey guys,
Quick question. I just want to know if anyone has experience configuring object-groups for ACLs on the ASR 1002. I am trying to so this on ours to consolidate a large ACL we have. It only works if I specifically use the protocols within the configuration. If I add a service object-group to match my protocols it doesn't match. The same configuration works on a 2811 router.
I have a TAC case open and Cisco is telling me that object-groups are not supported on the ASRs but I have a hard time believing them if the commands clearly exist.
If anyone has experience in this please let me know.
Thanks,
Elton
Sent from Cisco Technical Support iPhone AppElton,
"Hi Joe,
Support will start in 3.9S (Q1CY2013). Thanks.
Cheers,
/Mani"
From:
Ask The Expert: Introduction to Cisco ASR 1000 Series Aggregation Services Routers -
Will these object-group cause override in CSM?
Hi Everyone,
Currently i can not make changes in live network to test the options below.
Say we have Fw1 with object group below
sh run object-group id Test
object-group network Test
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
Fw2 shows below
sh run object-group id Test
object-group network Test
network-object object 10.0.0.0
network-object object 172.16.0.0
network-object object 192.168.0.0
Will above cause overiide in CSM ver4.2?
Also if i have object group below on fw1
sh run object-group Test_all
object-group network Test_all
network-object host 192.168.50.0
Fw2 shows
sh run object-group Test_ALL
object-group network Test_all
network-object host 192.168.50.0
Will above also cause override as names are different?
Regards
MaheshDavid, I think what you are referring to are nested structures, or in some cases "Deep" Structures. I have tested this senario in my Netweaver 2004s system and there are no problems with this coding. However, this does not mean all will be ok in your case. I think that it really depends on how the structure(or deep structure) is used in the program and if the unicode checker is turned on.
REPORT zrich_0001.
TYPES: BEGIN OF t_sub,
sub(10) TYPE c,
END OF t_sub.
TYPES: BEGIN OF t_object,
object TYPE t_sub,
END OF t_object.
TYPES: BEGIN OF t_main,
main TYPE t_object,
END OF t_main.
data: xvar type t_main.
CHECK xvar-main-object-sub IS INITIAL.
Regards,
Rich Heilman -
Migrate network object group members; risk
We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc
John,
if you feel that is risky, you can always go for plan B.
- you can take closure look at the object groups and decide new object naming convention policy.
- from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
- you can see same services used in couple of rules with different service groups.
- like object-group service WEB-PORTS tcp
port-object eq http
port-object eq https
object-group service APPLICATION-PORTS tcp
port-object eq http
port-object eq https
object-group service APPS-PORT tcp
port-object eq www
port-object eq https
- you can replace all these different object-group with one object group. like WEB-PORTS.
- same way you can do excercise for network group as well.
hope this helps.
JD... -
Static nat and service port groups
I need some help with opening ports on my ASA using firmware 9.1.2.
I read earlier today that I can create service groups and tie ports to those. But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ?
I have the ACL -
access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
Can this statement
object network obj-ExchangeSever-smtp
nat (inside,outside) static interface service tcp smtp smtp
reference the service port groups instead?
Thanks,
AndrewHi,
Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
Well you can for example configure this kind of "object-group"
object-group service SERVER-PORTS
service-object tcp destination eq www
service-object tcp destination eq ftp
service-object tcp destination eq https
service-object icmp echo
access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
Hope this helps
- Jouni -
RE: log trace on Service Object
I haven't tried myself; but got a copy from someone of part of technote
10398 which says (the minimum you need is:)
trc:in:1 Prints out information about interpreter state object.
10 - Print method entry/exit
trc:in:2 Trace the interpretation of method invocations and exception
handling
2 - Prints entry/exit and exceptions
trc:in:51:1 Traces method entry/exit by task
trc:in:54:1 Traces method entry/exit by application
Try it.
-----Original Message-----
From: Eric Abécassis [mailto:[email protected]]
Sent: Tuesday, April 13, 1999 10:24 AM
To: Forte User List
Subject: log trace on Service Object
Hi Everybody,
I would like to set log trace on each call (method entry and exit) on a
Service Object, but I didn't find any log flag which helps me.
Does someone have any ideas on how to do that ?
Thank you for your help !
Eric Abécassis <[email protected]>
Senior Architect
Sema Group DTS
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>Hi Eric,
You can find on http://perso.club-internet.fr/dnguyen/ a little tool called CodeAdd which adds Entry and Return trace. I fact, you
can use it to add any kind of code at the beginning and the end of your methods.
It also allows you to add a pre-formated comments header in you code.
In a further version, It may be possible to replace a code sequence from your methods. For instance, you may add a trace class and
change a task.Part.LogMgr.Putline by a call to your own class, or need to suppress some lines.
Just be carefull to use the tool on a local backupo of your repository : CodeAdd updates your methods directly in the repository.
Hope this helps,
Daniel Nguyen
Freelance Forte Consultant
Url : http://perso.club-internet.fr/dnguyen/
Eric =?iso-8859-1?Q?Ab=E9cassis?= a écrit:
Hi Everybody,
I would like to set log trace on each call (method entry and exit) on a
Service Object, but I didn't find any log flag which helps me.
Does someone have any ideas on how to do that ?
Thank you for your help !
Eric Abécassis <[email protected]>
Senior Architect
Sema Group DTS
Eric Abécassis <[email protected]>
Senior Architect
Sema Group DTS
Eric Abécassis
Senior Architect <[email protected]>
Sema Group DTS Courrier HTML
les Algorithmes - Pythagore A route des Lucioles, BP 279;Sophia Antipolis;;06905;France Tél. cellulaire: +33 (0) 6 62 36 68 83
Télécopie: +33 (0) 4 93 95 xx xx
Bureau: +33 (0) 4 93 95 46 50
Informations supplémentaires:
le nom ABECASSIS
Prénom Eric
Version 2.1-
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/> -
Access list with multiple object groups
Hello Everyone,
I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
I am trying to use object-groups where ever i can. Here is an example.
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.
ThanksHi,
Seems to work on my test ASA
Attached it to my current LAN interface.
ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound_access in interface LAN
access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
object-group service obj_Meraki_outbound
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.255.240
object-group network obj_Meraki_pub
description: This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
Additional Information:
access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
- Jouni -
I was asked to create rules with the following TCP ports: 41000, 41002, 41025. Since these ports did not exists, I just created new TCP service objects. The issue is I put the those ports as source port/range and destination port/range in the Add Service Object box.
I feel like I already know the question before I ask it, but should I have used "default (1 - 65535)" in the source port/range field just like the other TCP ports?
I've attached a snapshot of the Add Service Object box.
Thanks in advance!
Regards,
The RookieHi,
Personally I never configure any ACL rules or NAT configuration on the ASDM
I assume that you are trying to configure an "object service" to the destination ports that you are going to allow in some ACL?
If this is correct then I would assume that you just define the destination port section of the "object service" configuration and leave the source section blank as we dont want to define the source port range.
The "object service" lets your define both the source and destination port under the same "object service" but I dont find it that usefull.
I usually configure all the ports I need either inside "object-group service" or "object service" and only define the destination port as that is usually the one we are more interested about.
Hope this helps
- Jouni -
What object group a port is in?
The following does not help:
ASA# sho run object-g | in 1433
port-object eq 1433
service-object tcp eq 1433
port-object eq 1433
ASA# sho run object-g service | in 1433
port-object eq 1433
service-object tcp eq 1433
ASA# sho run object-g | be 1433
port-object eq 1433
ASA# sho run object-g | grep 1433
port-object eq 1433
service-object tcp eq 1433
port-object eq 1433Here's the command to find the object group name a port is in:
ASAXXX# show run object-group | in object-group | time-exceeded
object-group icmp-type ICMP_SVCS
icmp-object time-exceeded
Now you can find what else is in that object group:
ASAXXX# sho run object-group id ICMP_SVCS
object-group icmp-type ICMP_SVCS
icmp-object echo-reply
icmp-object unreachable
icmp-object echo
icmp-object time-exceeded
icmp-object traceroute
and the access-list that object group is being used in:
ASAXXX# sho access-list | in ICMP_SVCS
access-list Access_List_Name line 5 extended permit icmp object-group ABCD object-group WXYZ object-group ICMP_SVCS
So if you know a port number, you can quickly find out what object group and what access list is allowing that port. -
We recently installed a pair of ASR1004 routers and were somewhat (unpleasantly) surprised to find that the "object-group network" and "object-group service" were not supported. After doing some searches on the forums here I found this discussion:
https://supportforums.cisco.com/message/3573041#3573041
At that time (28 Feb 2012) it was mentioned that support for object-groups for ACLs were planned for 3.9S / Q1CY2013. We're running 3.10S and still no object groups so I was just wondering if anyone has heard an updated estimate of when this feature will be added to IOS-XE?As the release notes state, this feature is implemented in 3.12S:
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/asr1k_rn_rel_notes/asr1k_feats_important_notes_312s.html#pgfId-3452835 -
Hi Everybody,
I would like to set log trace on each call (method entry and exit) on a
Service Object, but I didn't find any log flag which helps me.
Does someone have any ideas on how to do that ?
Thank you for your help !
Eric Abécassis <[email protected]>
Senior Architect
Sema Group DTSHi Eric,
You can find on http://perso.club-internet.fr/dnguyen/ a little tool called CodeAdd which adds Entry and Return trace. I fact, you
can use it to add any kind of code at the beginning and the end of your methods.
It also allows you to add a pre-formated comments header in you code.
In a further version, It may be possible to replace a code sequence from your methods. For instance, you may add a trace class and
change a task.Part.LogMgr.Putline by a call to your own class, or need to suppress some lines.
Just be carefull to use the tool on a local backupo of your repository : CodeAdd updates your methods directly in the repository.
Hope this helps,
Daniel Nguyen
Freelance Forte Consultant
Url : http://perso.club-internet.fr/dnguyen/
Eric =?iso-8859-1?Q?Ab=E9cassis?= a écrit:
Hi Everybody,
I would like to set log trace on each call (method entry and exit) on a
Service Object, but I didn't find any log flag which helps me.
Does someone have any ideas on how to do that ?
Thank you for your help !
Eric Abécassis <[email protected]>
Senior Architect
Sema Group DTS
Eric Abécassis <[email protected]>
Senior Architect
Sema Group DTS
Eric Abécassis
Senior Architect <[email protected]>
Sema Group DTS Courrier HTML
les Algorithmes - Pythagore A route des Lucioles, BP 279;Sophia Antipolis;;06905;France Tél. cellulaire: +33 (0) 6 62 36 68 83
Télécopie: +33 (0) 4 93 95 xx xx
Bureau: +33 (0) 4 93 95 46 50
Informations supplémentaires:
le nom ABECASSIS
Prénom Eric
Version 2.1-
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>
Maybe you are looking for
-
MRP 2 view - service level field
Hello colleagues. Can anybody explain me what's the usage of the field "service level (%)" in the MRP 2 view of the material master ? The SAP help does not help that much ... Regards, Fernando
-
Bookmarks not appearing following an iCloud sync
I categorized my bookmarks in folders on my PC for easy retrieval. In some cases I have nested categories 2 or 3 levels deep. After I sync my bookmarks from my PC with my iPad via iCloud, the bookmark folders appear, but the bookmark URLs themselves,
-
Updating Acrobat Professional 8
We are trying to update Adobe Acrobat to 8.13. We have patched are AIP and then performed the appropriate steps to bring the msi and transform into our deployment tool. The transform was created using the Custimization Wizard. When we deliver the pac
-
When i am on Safari the screen will switch to other screens after about 10 min.
my screen will switch to desk top by it self
-
I need to install acrobat pro on a new laptop
Earlier I had subscribed to acrobat pro now that laptop has crashed want to install in new laptop