Simplify Cisco ASA Administration with Object-Groups

Any network administrator or network engineer is often tasked with auditing access-lists and modifying them according to business requirements that are often quite volatile. With regulatory organizations bearing down and compliance with those regulations become more and more difficult the amount of access-list auditing, modification, and deployment can quickly get out of control. Even with all the regulations to deal with access-list maintenance doesn't have to be the nightmare many network administrators and network engineers have come to know. This is where object-groups come in to play. While they are not new, being introduced in PIX code 6.2, many veteran engineers have just not caught on as they are set in their ways.

In the Cisco ASA, an object-group allows you to group hosts, protocols, networks, and services, into logical units that you can use to build access-lists that reference every object within the object-groups that are defined and placed within the ACL. Using strong object-group methodologies you can create an access-list that is 100 lines long in your running-config but is several hundred, or even thousands, of lines long once the object-groups are expanded to the full access-list - the access list as it would appear without the use of object-groups.

Let's start by defining a few different object groups.

Using an object-group of the network type you can groups hosts and/or networks into one logical group. Here is an example:

object-group network EMAIL-SERVERS

network-object host 1.2.3.4

network-object 5.0.0.0 255.255.0.0

object-group network INSIDE_SUBNETS

network 10.20.0.0 255.255.0.0

network 10.30.0.0 255.255.0.0

Using an object-group of the protocol type you can group different protocols into one logical group. Here is an example I occasionally use:

object-group protocol TCP-UDP

protocol-object tcp

protocol-object udp

Using an object-group of the service type you can group different service ports into one logical group of services. Here is a good example:

object-group service EMAIL-SERVICES

port-object eq 25

port-object eq 110

port-object eq 143

port-object eq 465

port-object eq 587

port-object eq 993

port-object eq 995

Now that we have a few object-groups defined we can demonstrate the configuration of a couple access-lists. Here is a couple examples:

access-list Outside_access_in extended permit tcp any object-group EMAIL-SERVERS object-group EMAIL-SERVICES

access-list Inside_access_in extended permit object-group TCP-UDP object-group INSIDE-SUBNETS any eq 53

The above configurations demonstrate the way the access-list is defined, and also the way it will be shown in the running-config and startup-config. Now that you have seen how these access-lists are defined it is time to see what the expanded view looks like so you can realize the full potential of utilizing object-groups in your access-lists.

#show access-list Outside_access_in

access-list Outside_access_in extended permit tcp any object-group EMAIL-SERVERS object-group EMAIL-SERVICES

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 25

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 25

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 110

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 110

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 143

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 143

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 465

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 465

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 587

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 587

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 993

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 993

access-list Outside_access_in line 1 extended permit tcp any host 1.2.3.4 eq 995

access-list Outside_access_in line 1 extended permit tcp any 5.0.0.0 255.255.0.0 eq 995

#show access-list Inside_access_in

access-list Inside_access_in extended permit object-group TCP-UDP object-group INSIDE-SUBNETS any eq 53

access-list Inside_access_in line 1 extended permit tcp 10.20.0.0 255.255.0.0 any eq 53

access-list Inside_access_in line 1 extended permit udp 10.20.0.0 255.255.0.0 any eq 53

access-list Inside_access_in line 1 extended permit tcp 10.30.0.0 255.255.0.0 any eq 53

access-list Inside_access_in line 1 extended permit udp 10.30.0.0 255.255.0.0 any eq 53

As you can see, the object groups easily allow you to create access-lists that can scale with your changing business needs. If we now decide to deploy a new email server, all we have to do is add that host, or subnet, to the appropriate object group and the rest of the work will be performed by the Cisco ASA. The access-list will automatically be expanded to include the new hosts, all with one simple addition.

That about sums it up.

As always, Custom Computing Solutions, LLC. can help you with any of your network administration and network engineering needs!

Custom Computing Solutions, LLC.
http://computingsolutionskc.com
816.427.1117

Computing Solutions KC excels in data recovery for businesses

At Custom Computing Solutions we understand the value of a computer to a business.  Computers are marvelous machines and they allow us to quickly perform tasks in a fraction of the time the same task took us 20 years ago.  While there are a wide array of games to play, and funny websites to visit, the value of a computer is in its business use.  Businesses have grown to rely on their computing infrastructure because of the agility it provides in servicing customers.  I think we all understand that losing a computer can be annoying and sometimes costly to fix, but the REAL cost of broken computers in small businesses is the inability to access the data stored on those computers.  When you have a broken computer, it is important that you seek the help of a qualified computer technician to repair the machine so you don't suffer the mostly costly situation of all - a loss of valuable data.  At Custom Computing Solutions we put the preservation of valuable data at the top of our list of priorities when we repair your computers.  Whether we are upgrading individual hardware components, or completely wiping the hard drive to start off with a brand new installation of Windows, we will make sure we retrieve your valuable data for you first.  We want the repair process to be as seamless as possible for you, so when you get your computer back from us, all your files are exactly where you left them!

In addition to recovering and preserving your data during routine repairs, we can also recover files you have deleted or lost! When you've deleted files that you later find that you need, you can bring your computer to our data recovery lab to be recovered. If you need data recovered from your hard drive, it is extremely important you stop using your computer as soon as you are aware you need files professionally recovered. Continuing to use your computer after a data loss event minimizes our chances of a successful recovery, and we all know that the DATA is the most valuable part of the computer!!

Joe Doran

Custom Computing Solutions, LLC.

Computer Data Recovery and Preservation in Kansas City
816-427-1117

8 Must Have Upgrades for 2011

The new year is here, and now is a great time to start performing some computer upgrades to get you through the year.

1. A custom built computer
The number one upgrade for personal and business computing in 2011 is a new desktop, laptop, or workstation. My favorite option for getting a shiny new computer is to have one custom built to fit my needs. Doing this will minimize your costs, maximize your performance, protect your investment, and put a huge smile on your face. With all the new software coming out a new computer will provide the biggest bang for your buck.

2. RAM
RAM upgrades are one of the easiest and least expensive ways to increase your computers longevity and performance. With more RAM available to your software, your computer won’t struggle as much to find the data it needs to run. Additionally, newer RAM is faster, providing part two of a two fold performance increase.

3. CPU
A CPU Upgrade will increase your computer’s ability to process the instructions being given to it by the software you are running by processing more instructions per second. This translates to a more responsive system, and faster software operation.

4. Hard Drive

A hard drive upgrade can help you in two different ways. The first metric seen in hard drives, is the amount of storage they can provide. A typical hard drive storage range is anywhere from 80 Gigabytes all the way up to 2 Terabytes (2,000 Gigabytes). There are hard drives larger than this, and smaller than this, but they are far less common. A hard drive with more storage space means you can store more data, pictures, movies, music, accounting data, and other files.

The second metric seen in hard drives is spindle speed. Typical spindle speeds in hard drives range from as low as 4,200 rpm all the way up to 15,000 rpm. The faster the spindle moves, the faster it can locate data, and the more responsive your system will be, especially under heavy use.

In 2011 we may see a large move toward flash drives, that don’t even have moving parts, which of course means they will be FAST!

5. Video Card
A video card upgrade provides your computer with the ability to render high graphics with ease. Offloading graphic processing to your video card conserves main CPU resources and provides with a richer video and graphics experience.

6. Monitor

A monitor upgrade will provide you with a richer experience. With a crisp display, a smaller desktop footprint, and increased energy efficiency, a new monitor will not only provide you with an awesome display, but it will save you room while saving you money!  

7. Blu Ray Drive
Full High-Def Movies, need I say more?

8. Windows 7
Upgrading to Windows 7 provides a more thorough and enjoyable computing experience. It is feature rich, extremely customizable and absolutely smokes Windows XP on new hardware. If you are building or buying a new computer, Windows 7 is an absolute must. So there you have, 8 easy ways to improve your computing experience in 2011. As always, Custom Computing Solutions is here to help if you need help or have questions.