This post is really centered around the concept of Object and Objects Groups, however you really can’t talk about Objects with covering the upgrade process that gets you there. Unless you have newer generation ASA the need to upgrade from an older version just to get to 8.3 or higher is a major hurdle. The concept of Objects Groups has been around even prior to version 8.3, but Objects themselves is something all together new with version 8.3.
If your considering upgrading your ASA or ASA’s from an older version to 8.3 or above I recommend reading the following requirements from the Cisco Support Community before doing so. For the most part the upgrade is easy, but I have run into issue where certain configuration mainly ACL’s didn’t get converted to the new 8.3 format. I would recommend researching the the Cisco Support Community or opening a TAC case before you upgrade.
The concept of Objects Groups have been around for a while I believe they where first introduced in version 7.0. Objects didn’t didn’t show until 8.3. The one thing I don’t like or understand is the continued support of Objects Groups. Why not just consolidate the functionality of Objects Groups into Objects, and eliminate the need for Object Groups all together. I’ll stop complaining now and get on with some Object configurations.
Before we do anything lets create a quick back of the current configuration
The Adaptive Security Appliances come with an external compact flash drive that can be used for various thing such as the boot image or running config if you choose to do so. The slot is always referred to by disk1: or slot 1 and the internal flash is always referred to by disk0 or slot 0. You can purchase the compact flash at time of purchase or simply add it afterwords. On both of my 5510’s, and 5520’s I always populate the external compact flash for the sole purpose of backing up the running configuration before I make changes.
Available Storage
- Disk0: – Onboard Flash
- Disk1: – Compact Flash
ASA#copy running-configuration disk1:/backup.cfg
Understanding The TCP 5 Tuple
- The source IP address of the flow
- The source port number of the flow
- The destination IP address of the flow
- The destination port number of the flow
- The Protocol being used in the flow
Stop Creating Duplicate Objects
The concept behind Objects, and or Objects-Groups are vary similar to those found in Object Oriented Programming. The principle or idea behind Object Oriented Programming is to create an object once and use it over and over again throughout the code. If we look at from a configuration standpoint on the ASA it much the same. For example I can create a simple FTP Object or Object-Group that can be used over and over again throughout the configuration.
ASA#configure terminal
ASA(config)#object-group service FTP tcp
ASA(config-service-object-group)#port-object eq ftp
ASA(config-service-object-group)#port-object eq ftp-data
ASA(config-service-object-group)#exit
ASA(config)#exit
ASA#
Lets create a simple network object for an FTP server located in the DMZ with static NAT
ASA#configure terminal
ASA(config)#object network FTPServer
ASA(config-network-object)#host 192.168.20.18
ASA(config-network-object)#nat (dmz,outside) static 12.40.3.20
ASA(config-network-object)#exit
ASA(config)#
Lets create the necessary FTP ACL for the object FTPSserver
ASA#configure terminal
ASA(config)#access-list outside permit tcp any object FTPServer object-group FTP
ASA(config)#access-list outside permit udp any object FTPServer object-group FTP
ASA(config)#exit
ASA#
Lets create the dynamic translation object for the 172.16.32.0 subnet
ASA#configure terminal
ASA(config)#object network 172.16.32.0
ASA(config-network-object)#nat (inside,outside) dynamic 12.20.3.5
ASA(config-network-object)#exit
ASA(config)#
As with any Firewall configuration we have account for the allowed translation of our Inside networks to to Outside World. There are however a couple of things to consider. The first option would be do you want translate individual Networks one by one..? The second option would be do you want to translate the entire block..? I always prefer to take option number 2 when translating networks.
Objects are also used for tranalating networks or subnet segments such as the following. We could choose to translate each network or subnet independently or translate the entire range of address. I always prefer to translate the entire range that way I’m not constantly adding additional Objects every time we bring up another remote network.
- 172.16.31.0 255.255.255.0
- 172.16.32.0 255.255.255.0
- 172.16.33.0 255.255.255.0
- 172.16.34.0 255.255.255.0
For this example lets say you wanted to translate each network separately. So the first thing you need to do is come up with a meaningful Object name for each individual network. Personally I like to keep it as simple and create the Object using its literal name.
Create a network object for the subnet 172.17.31.0 with dynamic NAT outside.
ASA#configure terminal
ASA(config)#object network 172.16.31.0
ASA(config-network-object)#subnet 172.16.31.0 255.255.255.0
ASA(config-network-object)#exit
ASA#(conifg)#exit
ASA#
Now lets add the dynamic NAT for the network object 172.16.31.0/24
ASA#configure terminal
ASA(config)#object network 172.16.32.0
ASA(config-network-object)#nat (inside,outside) dynamic 12.20.3.5
ASA(config-network-object)#exit
ASA(config)#exit
ASA#
Lets take a look at the number of translated hits for the object 172.16.31.0
ASA#show nat object 172.16.31.0
Auto NAT Policies (Section 2)
33 (Inside) to (outside) source dynamic 172.16.31.0 interfacetranslate_hits = 123, untranslate_hits = 11
ASA#
Placing Objects Inside Object Groups
Creating objects and then placing them inside objects groups is probably the most misunderstood or overlooked configuration steps.That’s the true power of objects groups their ability to contain objects within themselves. The real power or simplicity comes from being able to reference the objects group itself with the objects contained within. This way the over all configuration becomes much simpler and easy to manage.
ASA#configure terminal ASA(config)#object network WEBSERVER-1 ASA(config-network-object)# ASA(config-network-object)#host 172.16.30.20 255.255.255.0 ASA(config-network-object)#nat (inside,outside) static 223.23.8.20 ASA(config-network-object)#exit ASA(config)# ASA(config)#object network WEBSERVER-2 ASA(config-network-object)# ASA(config-network-object)#host 172.16.30.21 255.255.255.0 ASA(config-network-object)#nat (inside,outside) static 223.23.8..21 ASA(config-network-object)#exit ASA(config)# ASA(config)#object-greoup network WEBGROUP ASA(config-network-object-group)#network-object object WEBSERVER-1 ASA(config-network-object-group)#network-object object WEBSERVER-2 ASA(config-network-object-group)#exit ASA(config)# ASA(config)#access-list outside permit tcp any object-group WEBGROUP eq https ASA(config)# ASA(config)#exit ASA#
As you can see in the example above the two Web Servers objects simply added to the object group WEBGROUP. At that point the object group WEBGROUP can be referenced once on the ACL as opposed to referencing the individual objects for each Web Server.