- Configure a service object group.
- Configure an ICMP-type object group.
- Configure a nested server object group.
- Configure an inbound ACL with object groups.
- Configure web and ICMP access to the inside host.
- Test and verify the inbound ACL
RBB and FW1 is configured successful, check form QEMU1 and QEMU2 can make telnet connection to RBB.
(image01)
pixfirewall# show nat dmz
match ip dmz host bastionhost outside any
static translation to 10.10.10.11
translate_hits = 6, untranslate_hits = 7
match ip dmz any outside any
dynamic translation to pool 1 (10.10.10.4)
translate_hits = 0, untranslate_hits = 0
match ip dmz any dmz any
dynamic translation to pool 1 (192.168.4.4)
translate_hits = 0, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 2
(image02)
Task 1: Configure a Service Object Group
Complete the following steps to configure a service group containing HTTP and FTP, SSH.
pixP(config)# object-group service MYSERVICES tcp
pixP(config-service)# port-object eq www
pixP(config-service)# port-object eq ftp
pixP(config-service)# port-object eq ssh
pixP(config)#show run object-group
object-group service MYSERVICES tcp
port-object eq www
port-object eq ftp
port-object eq ssh
NOTE:
pixfirewall(config)# object-group ?
configure mode commands/options:
icmp-type: Specifies a group of ICMP types, such as echo
network: Specifies a group of host or subnet IP addresses
protocol: Specifies a group of protocols, such as TCP, etc
service: Specifies a group of TCP/UDP ports/services
Task 2: Configure an ICMP-Type Object Group
Create an ICMP-type object group named PING to assign a name to the group and enable the ICMP-type subcommand mode.
pixP(config)# object-group icmp-type PING
pixP(config-icmp)# icmp-object echo
pixP(config-icmp)# icmp-object echo-reply
pixP(config-icmp)# icmp-object unreachable
pixP(config-icmp)# exit
pixP(config)# show run object-group
Task 3: Configure a Nested Server Object Group
Complete the following steps to nest (long vao) an object group within another object group Create a network object group named HTTPSERVERS, Add your bastion host to the object group.
pixP(config)# object-group network HTTPSERVERSpixP(config-network)# network-object host 10.10.10.11
pixP(config-network)# exit
Create a network object group named ALLSERVERS.
pixP(config)# object-group network ALLSERVERS
pixP(config-network)# group-object HTTPSERVERS
Add the following servers to the ALLSERVERS group:
pixP(config-network)# network-object host 10.10.10.10 //insidehost
pixP(config-network)# network-object host 10.10.10.6
pixP(config-network)# network-object host 10.10.10.7
pixP(config-network)# show run object-group
Task 4: Configure an Inbound ACL with Object Groups
Complete the following steps to configure an inbound ACL to perform these functions:
pixP(config)# access-list ACLIN permit tcp 192.168.3.0 255.255.255.0 object-group HTTPSERVERS object-group MYSERVICES
pixP(config)# access-group ACLIN in interface outside
Now, you can access http to bastionhost from outside:
(image)
Task 5: Configure Web and ICMP Access to the Inside Host
pixP(config)# access-list ACLIN permit tcp any object-group ALLSERVERS eq www
pixP(config)# access-list ACLIN permit icmp any any objectgroup PING
pixP(config)# access-list ACLIN deny ip any any
pixP(config)# access-group ACLIN in interface outside
Create an ACL to permit echo-replies to the inside host from your bastion host.
pixP(config)# access-list ACLDMZ permit icmp any any objectgroup PING
pixP(config)# access-group ACLDMZ in interface dmz
pixP(config)# show access-list
- Allow inbound web traffic from a peer pod network to your bastion host.
- Allow inbound FTP traffic from a peer pod internal host to your bastion host.
pixP(config)# access-list ACLIN permit tcp 192.168.3.0 255.255.255.0 object-group HTTPSERVERS object-group MYSERVICES
pixP(config)# access-group ACLIN in interface outside
Now, you can access http to bastionhost from outside:
(image)
Task 5: Configure Web and ICMP Access to the Inside Host
pixP(config)# access-list ACLIN permit tcp any object-group ALLSERVERS eq www
pixP(config)# access-list ACLIN permit icmp any any objectgroup PING
pixP(config)# access-list ACLIN deny ip any any
pixP(config)# access-group ACLIN in interface outside
Create an ACL to permit echo-replies to the inside host from your bastion host.
pixP(config)# access-list ACLDMZ permit icmp any any objectgroup PING
pixP(config)# access-group ACLDMZ in interface dmz
pixP(config)# show access-list
(image)
From the insidehost can make pinging command:
Ping 192.168.3.1
Ping 10.10.10.1
ping 192.168.4.2
(image)
The same that: From the outside area can make ping command to get responding successfully.
Tast 6: Test and Verify the Inbound ACL (as above).
Summary:
1. Object grouping essentials.
+ Standard ACL's are fine for few hosts, services, and servers.
+ In large deployments, ACL's can increase exponentially.
+ Object grouping in ACL's simplifies the creation process.
+ Proper grouping can condense a policy of 3000+ ACL's down to a few hundred.
+ Applying Object-Groups to a command applies each element to the command.
2. Object group configuration.
+ Grouping PIX objects:
Networks/hosts -->inside-hosts/indide-sales.
Protocols (TCP/UDP) --> dmz-protocol.
Services (https/ftp) --> outside services.
ICMP (echo/echo-reply) --> ping
3. Nested object group.
You can group objects in nested groups.
Nested groups are applied to ACL's and must be of the same type: Network/Host, Service, Protocol.
Hierarchical grouping for scalability, flexibility, and modular design.
4. Malicious active code filtering.
+ Allow you to stop inside hosts from downloading Java code.
+ Probably banned in written security policy due to threat to corporate data.
+ Can block per-client or per-IP-address.
+ PIX searches for "cafe babe" string.
+ PIX can block all ActiveX controls.
0 comments
Post a Comment