6-思科防火墙：ASA中Object-group在ACL中的应用（思科asa防火墙详解）

6-思科防火墙：ASA中Object-group在ACL中的应用（思科asa防火墙详解）

ASA(config-network-object)# object network yuan2ASA(config-network-object)# subnet 202.100.1.0 255.255.255.0

ASA(config-network-object)# object network yuan3ASA(config-network-object)# range 202.100.2.10 202.100.2.20

2、定义object-group，将上述打包在一起，还可以单独增加网段、主机：打包：ASA(config)# object-group network yuanASA(config-network-object-group)# network-object object yuan1ASA(config-network-object-group)# network-object object yuan2ASA(config-network-object-group)# network-object object yuan3单独增加主机、网段：ASA(config-network-object-group)# network-object 202.10.20.0 255.255.255.0 //单独增加网段ASA(config-network-object-group)# network-object host 202.10.20.1 //单独增加主机

3、定义object-group network目的ASA(config)# object-group network mudeASA(config-network-object-group)# network-object host 10.1.1.1

4、定义object-group service ser：ASA(config)# object-group service serASA(config-service-object-group)# service-object espASA(config-service-object-group)# service-object icmpASA(config-service-object-group)# service-object tcp destination eq ftpASA(config-service-object-group)# service-object udp destination eq domain

5、全局调用：ASA(config)# access-list aa extended permit object-group ser object-group yuan object-group mude四、验证：ASA# show run objectobject network yuan1host 202.100.1.1object network yuan2subnet 202.100.1.0 255.255.255.0object network yuan3range 202.100.2.10 202.100.2.20

ASA# show run object-groupobject-group network yuannetwork-object object yuan1network-object object yuan2network-object object yuan3network-object 202.10.20.0 255.255.255.0network-object host 202.10.20.1

ASA# show run access-list //下边就1条access-list aa extended permit object-group ser object-group yuan object-group mude

ASA# show access-list //下边一堆access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)alert-interval 300access-list aa; 32 elements; name hash: 0xdd1304faaccess-list aa line 1 extended permit object-group ser object-group yuan object-group mude 0x2c352a70 access-list aa line 1 extended permit esp host 202.100.1.1 host 10.1.1.1 (hitcnt=0) 0x77cb04ed access-list aa line 1 extended permit esp 202.100.1.0 255.255.255.0 host 10.1.1.1 (hitcnt=0) 0x260a81b4 access-list aa line 1 extended permit esp 202.100.2.10 255.255.255.254 host 10.1.1.1 (hitcnt=0) 0xaddc4366 access-list aa line 1 extended permit esp 202.100.2.12 255.255.255.252 host 10.1.1.1 (hitcnt=0) 0xaf630f92 access-list aa line 1 extended permit esp 202.100.2.16 255.255.255.252 host 10.1.1.1 (hitcnt=0) 0xd0d3bdd7 access-list aa line 1 extended permit esp host 202.100.2.20 host 10.1.1.1 (hitcnt=0) 0xa8245911 access-list aa line 1 extended permit esp 202.10.20.0 255.255.255.0 host 10.1.1.1 (hitcnt=0) 0x67408de6

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。