Cisco Firewall :: Using Object-Groups For Easy Maintain ASA 5520 Configurations
Sep 19, 2011
After reading the post titled "ASA 5520 nat access-list query for internet access" I realized the object-group command could and should be used to make a more efficient and cleaner configuration. My current environment is very small and straight forward consisting of one FTP server in the DMZ. Though the guide: [URL] is straight forward, my inexperience hinders me from seeing how to use the commands effectively. A summary of the configuration is at the bottom of this post
Question: How can I clean up my current configuration? I have two references to the same server, dmz-rdp and dmz-ftp, created for port forwarding ports 3389 and ftp through the outside interface. I can combine them into one object statement, right? for each port I want to forward through the outside interface?
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test network-object 192.168.0.0 192.168.63.255 ? network-object-group mode commands/options: A.B.C.D Enter an IPv4 network mask sh run ob id test object-group network test network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
Is it possible somehow to define externally administred DNS namese in ASA 8.4 in within object groups?i know that we can use name XXX, but some idea popped up using this kind of configuration.
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.URL
Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
We are facing the problem in ASDM 5.x creates duplicate network object groups in the configuration when PIX with software 7.0.7 is used. Audit report its showing below commands :
I have an issue with the LMS 4.0, i added manually the ASA Fws 5520 and 5510, and i see them there, but i cannot see the configuration, inventory and technology details.Telnet is deactivaved in ASA´s, ssh and snmp v3 are enabled.Routers and switches were added without issues.
I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.
Running-config of my ASA5520:
ciscoasa# show run : Saved : ASA Version 8.4(3) ! hostname ciscoasa enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names ! interface GigabitEthernet0/0 [Code] ........
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
Any way of doing named objects or object groups for ACLs on the ASRs? (1000 series in this case.) I'm setting up an ASR with a zone-based firewall and writing out all the addresses, ports and protocols for the ACLs associated with the various zones is creating huge, unwieldy ACLs in the config.
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
it is possible to create a Windows Active Directory group of users which I can use to permit access through the ASA (5520) firewall? I only can find vpn authentication with Radius but nog specific information about granting AD groups internet access via the ASA.
Is it possible with ASAVPNSERVER 5520 and an EasyVPN 5505 Client to have the client do split tunnel to a single public IP address? Both devices are on 8.2(5) 33. Could you possible provide sample config for split tunnel?
is there a easy to install SSL certificate on ASA, rather than enroll with a public CA? ASDM has a place to import certificates. Can I just upload a SSL certificate I got from my CA to ASA, withou setup CA enrollment? And if yes, how can I generate a SSL certificate request from my ASA 8.2?
I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group
We have an ASA5505 that we need to enable hairpinning on.... In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
There is something wrong with the ordering of our NAT-rules.We are running ASA Version 8.4(2)8 and the nat config is pasted below.
I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.
Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us. [code]
I have this firewall working as active/standby. Everything seemed to be ok, but we noticed that confirgurations are not being replicated by saving configuration either copy run start or write. The workaround here is write standby command. Below the configs and stats, plus the show version, which is the same in both equipments:
I have an ASA 5505 without any IPS module.While copy/pasting some configurations from another 5510 with IPS I copied my mistake the some of the IPS configurations part. Now I can't remove it.When ASA starts I get this Warning:
...WARNING> IPS policy is configured without an SSM card. *** Output from config line 828, " ips inline fail open"
Those lines are:
policy-map Outside_Policy class IPS_class ips inline fail-open
When I try to do "no ips inline fail-open" I get an "invalid input detected".If I try a no class IPS_class I get that is being in use.What can I do to clean up those lines?
I'm trying to move some configurations over to an ASA5510 and some of the commands are a bit different than I'm used to (worked on old pix before)
I've configured the following on the device: Outside interface: 65.66.64.34/28 DMZ : 65.66.64.49/28 Inside : 10.2.3.3/26 ===========================
The current firewall has the below configured on it (old Juniper)
10.2.3.0/24 gateway 10.2.3.15 **10.2.3.15 is the IP for 3750 switch on the inside LAN** 10.0.0.0/24 gateway 10.2.3.4 **10.12.175.4 internal vpn- will remove later but thats a different discussion** 0 0 gateway 65.66.64.33 **to internet 10.0.1.0 gateway 10.2.3.2 **10.2.3.2 represents mpls traffic
[code]...
The current set up for this network has an mpls router and a vpn concentrator as part of the network my aim currently is to replace the juniper with an asa5510 the changing of the vpn tunnels will be for a different time:
work station ===> switch (3750) DG to =====> MPLS (vendor owned and managed) ====> non mpls traffic ====> vpn concentrator ===>firewall ===> router
The above will need acls to go with the routes, which I should manage ok just want to make sure the routing is configured properly
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.ASA 8.4 is in question and trying the following does not seem to work:
privilege configure level 3 command object,gives me ,ERROR: specified command 'object' not found in any mode.It looks like localy this cannot be done or I am doing something wrong?
We have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
On the FWSM I would see the following under Network Objects:
Network Objects - JQ-Test - JQ-Test2 - JQ-Test3
Network Object Group + JQ Group - JQ-Test - JQ-Test2 - JQ-Test3
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
Network Objects - 10.1.1.1 - 10.2.2.2 - 10.3.3.3
Network Object Group + JQ Group - 10.1.1.1 - 10.2.2.2 - 10.3.3.3
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?
I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside subnet 10.200.11.0 255.255.255.0 nat (inside,outside) dynamic interface **** then , i met problem when i want to make identity NAT between inside and DMZ**** **** if i add below CLI , the first nat line will be replaced **** **** SO IF I ADD THIS****
how to change the order of the groups that are displayed at the SSL VPN sign in page? I am using an ASA-5520. Right now the anyconnect client group displays above the clientless SSL intranet group and I want it reversed.
when I migrated the ASA config from 8.2 to 8.3, in all groups the group members has been replaced by the IP address object. However, the "name" for this object has been migrated, but there is the "object network name" configuration missing.
What I can do now is that I can open the new created object in the ASDM, search for the object with this IP address and then enter the object name I had before. When I apply the config, ASDM then creates the object and replaces all affected objects in all groups, by replacing the object group memeber "network-object host hostname" with "network-object object hostname".
Do you know if there exists an automated way, which checks all the groups for members "network-object host", creates the "object network" and replaces the "network-object hosts" with "network-object object" within the group? As long we have a lot of groups which contains partially > 50 members?
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
