ASA Object-Group Access-Lists

In this lab you create three different service object groups using 2 different methods. I am wondering if there is a difference in the behavior between the two. I am guessing no. The first method seems to offer a bit more flexible as it allows you use as a source or destination port. But to me they seem the same.

 

object-group service TELNET tcp
 port-object eq 23
!
object-group service TFTP udp
 port-object eq 69
!
object-group service OTHER_PORTS
 service-object tcp destination eq 21
 service-object udp destination eq 123
!
access-list VLAN29_INBOUND extended permit tcp object-group R2 object-group ALL_DESTINATIONS object-group TELNET
access-list VLAN29_INBOUND extended permit udp object-group R2 object-group ALL_DESTINATIONS object-group TFTP
access-list VLAN29_INBOUND extended permit object-group OTHER_PORTS object-group R2 object-group ALL_DESTINATIONS<br /><br /><br /><p>I futher simplified the ACL such that there is only one ACE. I feel it still meets all the requirements though.</p><p>I have read that in the lab it is best to perform ACLs in the least amount of lines possible.</p><br /><br />ASA2(config-service-object-group)# show run object-group<br />object-group network R2<br /> network-object host 150.1.11.11<br /> network-object 136.1.29.0 255.255.255.0<br />object-group network SUBNET<br /> network-object 136.1.19.0 255.255.255.0<br /> network-object 136.1.26.0 255.255.255.0<br />object-group network R1_LOOPBACK0<br /> network-object 150.1.1.1 255.255.255.255<br />object-group service OTHER_PORTS<br /> service-object tcp destination eq ftp <br /> service-object udp destination eq ntp <br />object-group service TASK_SERVICES<br /> service-object object TELNET <br /> service-object object TFTP <br /> group-object OTHER_PORTS<br />object-group network ALL_DST<br /> group-object R2<br /> group-object SUBNET<br />object-group service TELNET-OBJ tcp<br /> port-object eq telnet<br />ASA2(config-service-object-group)# show run access-list<br />access-list VLAN49_IN extended permit object-group TASK_SERVICES object-group R2 object-group ALL_DST <br />ASA2(config-service-object-group)# show run object<br />object network R2-LO1<br /> host 150.1.11.11<br />object network VLAN29<br /> subnet 136.1.29.0 255.255.255.0<br />object service TELNET<br /> service tcp destination eq telnet <br />object service TFTP<br /> service udp destination eq tftp <br />ASA2(config-service-object-group)# show run object-group<br />object-group network R2<br /> network-object host 150.1.11.11<br /> network-object 136.1.29.0 255.255.255.0<br />object-group network SUBNET<br /> network-object 136.1.19.0 255.255.255.0<br /> network-object 136.1.26.0 255.255.255.0<br />object-group network R1_LOOPBACK0<br /> network-object 150.1.1.1 255.255.255.255<br />object-group service OTHER_PORTS<br /> service-object tcp destination eq ftp <br /> service-object udp destination eq ntp <br />object-group service TASK_SERVICES<br /> service-object object TELNET <br /> service-object object TFTP <br /> group-object OTHER_PORTS<br />object-group network ALL_DST<br /> group-object R2<br /> group-object SUBNET<br />object-group service TELNET-OBJ tcp<br /> port-object eq telnet<br />ASA2(config-service-object-group)# show run access-list<br />access-list VLAN49_IN extended permit object-group TASK_SERVICES object-group R2 object-group ALL_DST 

Comments

  • Hi,

       The lab is trying to show you the different ways you can achieve the requirements. About this statement "I have read that in the lab it is best to perform ACLs in the least amount of lines possible." , i disagree. In the lab you do what you're told to do, nothing else.

    Regards,

    Cristian.

  • I figured you were just trying to show the different possibilities
    it just didn’t say that in the configuration explanation.

    Doing exactly what they ask makes sense. In your example you
    created an extra object group not required by the task :) ALL_DESTINATIONS. I just took
    it a step further to summarize everything into one set of object groups.

  • Hi,

       I changed the task requiements to match with the solution. In general, with the "Technologies Workbook", wording of the task is not that important, as the solution may just show multiple/different solutions just to show your options. In "Practice Labs", wording is very important, so solution should match he tak wording and requirements, plus fixing caveats which are NOT visible from the task requirements.

    Regards,

    Cristian.

  • Ok. I am treating the workbook just like a lab. Haven taken the R&S lab 4 times I know I will get tripped up on wording so trying to practice that.

Sign In or Register to comment.