sha 在一起 access 5.0 實驗 服務組 alt inter color

一、實驗拓撲:
技術分享圖片
二、實驗要求:
先定義幾個小的,然後用大的包在一起;打包在一起,這就是所謂的嵌套,嵌套在編程裏是很長用的東西,叫做Object-group;
Object-group比較強大,可以調用普通的object;還可以在組裏調用單獨的網段、主機。
1、放行Outside(202.100.1.0/24)網絡去往內部Inside服務器群:FTP/ESP/DNS/ICMP的流量;
2、比如Outside有4個源主機:202.100.1.1~202.100.1.4,3個目的地;
3、如果正常寫ACL,需要一條一條的寫,作用:節省很多命令;
4、定義源、目的、服務組;
5、對比show run access-list和show access-list的區別
三、命令部署:
1、定義源object network
ASA(config)# object network yuan1 //network這裏其實就是主機的意思
ASA(config-network-object)# host 202.100.1.1

ASA(config-network-object)# object network yuan2
ASA(config-network-object)# subnet 202.100.1.0 255.255.255.0

ASA(config-network-object)# object network yuan3
ASA(config-network-object)# range 202.100.2.10 202.100.2.20

2、定義object-group,將上述打包在一起,還可以單獨增加網段、主機:
打包:
ASA(config)# object-group network yuan
ASA(config-network-object-group)# network-object object yuan1
ASA(config-network-object-group)# network-object object yuan2
ASA(config-network-object-group)# network-object object yuan3
單獨增加主機、網段:
ASA(config-network-object-group)# network-object 202.10.20.0 255.255.255.0 //單獨增加網段
ASA(config-network-object-group)# network-object host 202.10.20.1 //單獨增加主機

3、定義object-group network目的
ASA(config)# object-group network mude
ASA(config-network-object-group)# network-object host 10.1.1.1

4、定義object-group service ser:
ASA(config)# object-group service ser
ASA(config-service-object-group)# service-object esp
ASA(config-service-object-group)# service-object icmp
ASA(config-service-object-group)# service-object tcp destination eq ftp
ASA(config-service-object-group)# service-object udp destination eq domain

5、全局調用:
ASA(config)# access-list aa extended permit object-group ser object-group yuan object-group mude
四、驗證:
ASA# show run object
object network yuan1
host 202.100.1.1
object network yuan2
subnet 202.100.1.0 255.255.255.0
object network yuan3
range 202.100.2.10 202.100.2.20

ASA# show run object-group
object-group network yuan
network-object object yuan1
network-object object yuan2
network-object object yuan3
network-object 202.10.20.0 255.255.255.0
network-object host 202.10.20.1

ASA# show run access-list //下邊就1條
access-list aa extended permit object-group ser object-group yuan object-group mude

ASA# show access-list //下邊一堆
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list aa; 32 elements; name hash: 0xdd1304fa
access-list aa line 1 extended permit object-group ser object-group yuan object-group mude 0x2c352a70
access-list aa line 1 extended permit esp host 202.100.1.1 host 10.1.1.1 (hitcnt=0) 0x77cb04ed
access-list aa line 1 extended permit esp 202.100.1.0 255.255.255.0 host 10.1.1.1 (hitcnt=0) 0x260a81b4
access-list aa line 1 extended permit esp 202.100.2.10 255.255.255.254 host 10.1.1.1 (hitcnt=0) 0xaddc4366
access-list aa line 1 extended permit esp 202.100.2.12 255.255.255.252 host 10.1.1.1 (hitcnt=0) 0xaf630f92
access-list aa line 1 extended permit esp 202.100.2.16 255.255.255.252 host 10.1.1.1 (hitcnt=0) 0xd0d3bdd7
access-list aa line 1 extended permit esp host 202.100.2.20 host 10.1.1.1 (hitcnt=0) 0xa8245911
access-list aa line 1 extended permit esp 202.10.20.0 255.255.255.0 host 10.1.1.1 (hitcnt=0) 0x67408de6

6-思科防火墻:ASA中Object-group在ACL中的應用