Configure Cisco ASA Object Group for Access-List
Cisco ASA Object Group is a feature that allows you to group multiple objects together and use them in Access Control Lists (ACLs). This can help simplify and organize your ACL configuration, as well as make it easier to modify and maintain.
Imagine you have to manage a Cisco ASA firewall that has hundreds of hosts and dozens of servers behind it, and for each of these devices we require access-list rules that permit or deny traffic. With so many devices you will have a LOT of access-list statements and it might become an administrative nightmare to read, understand and update the access-list.
Here is a detailed procedure for creating and using an ASA Object Group for an Access-List:
- Define the objects that you want to include in the Object Group. These can be IP addresses, network ranges, or protocol and port combinations. For example, you might create an Object Group called “Web_Servers” that includes the IP addresses of all your web servers.
- Use the “object-group” command to create the Object Group and specify the type of objects it will contain. For example, the following command creates an Object Group called “Web_Servers” that contains IP addresses:
object-group network Web_Servers
- Use the “network-object” command to add objects to the Object Group. For example, the following commands add two IP addresses to the “Web_Servers” Object Group:
network-object host 10.1.1.10 network-object host 10.1.1.11
- Use the “object-group” command to create an Access Control List that references the Object Group. For example, the following command creates an ACL called “ACL_Web_Servers” that allows all traffic from the “Web_Servers” Object Group:
access-list ACL_Web_Servers permit object-group Web_Servers
- Apply the ACL to an interface or security zone using the “access-group” command. For example, the following command applies the “ACL_Web_Servers” ACL to the outside interface:
access-group ACL_Web_Servers in interface outside
That’s it! You have now created and applied an ASA Object Group for an Access-List.
Here is an example of the complete configuration:
object-group network Web_Servers network-object host 10.1.1.10 network-object host 10.1.1.11 access-list ACL_Web_Servers permit object-group Web_Servers access-group ACL_Web_Servers in interface outside
With this configuration, all traffic from the IP addresses 10.1.1.10 and 10.1.1.11 will be allowed through the outside interface. If you want to add or remove an IP address from the Object Group, you can simply use the “network-object” command to modify the Object Group, rather than having to update the ACL directly.