Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Configuring Object Groups on Cisco ASA (Network, Service Objects etc)

Configuring Object Groups on Cisco ASA (Network, Service Objects etc)

Written By

The usage of object groups (network objects, service object etc) is becoming more popular on Cisco ASA firewalls especially with newer OS versions ( 8.3(x) and later) . In the newer versions, network object groups are used extensively for the configuration of NAT mechanisms in addition to other uses.

network object group asa

In this post I will show some simple examples of using network objects and service objects with access lists etc.

Moreover, I will expand the above to show how object groups are used with NAT as well (especially with the new NAT mechanism introduced after version 8.3).

Network Objects and Service Objects Examples

Suppose we have a few Web servers located on a DMZ which are accessed from the Internet. We want to enable http (80) and https (443) access from internet towards these web servers.

Assume that we have configured static NAT for those web servers and translated their real private IP addresses to the following Public IP addresses:

Web Server1: Private IP (192.168.1.1) translated to Public IP (50.50.50.1)
Web Server2: Private IP (192.168.1.2) translated to Public IP (50.50.50.2)
Web Server3: Private IP (192.168.1.3) translated to Public IP (50.50.50.3)

Configuration of access list using object groups

! create a service group for the http and https protocols
object-group service http-protocols tcp
port-object eq 80
port-object eq 443

! create a network object group for the web servers
object-group network webservers
network-object host 50.50.50.1
network-object host 50.50.50.2
network-object host 50.50.50.3

! create the access list applied inbound on the outside interface
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols

access-group OUTSIDE-IN in interface outside

EDIT (ASA Versions after 8.3):

In newer ASA versions after 8.3, the access list must always reference the Real IP address of a host and NOT the translated IP address. So, in our example above, the “webservers” object-group must include the Real (private) IP addresses of the servers and not the translated public IP.

MORE READING:  Series of Steps to Forward a packet in a Cisco ASA Firewall

! create a network object group for the web servers with their Real private IP
object-group network webservers
network-object host 192.168.1.1
network-object host 192.168.1.2
network-object host 192.168.1.3

! create the access list applied inbound on the outside interface
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols

access-group OUTSIDE-IN in interface outside

As you can see from above, you first create the network object-group and give it a name, and then add “network-object” of specific hosts to the above created object-group. You can add new network-object hosts later on under the same object-group or remove older entries (with the “no network-object host x.y.z.w”)

Configuration of NAT using object groups

If you administer any of the Cisco ASA 5500 firewall family products some things should be noted about the differences in configuration for 8.3 and newer versions of code.  One of the most significant changes to be noted is NAT (Network Address Translation).

In the Cisco ASA 8.3 version of code Cisco has introduced the concept of objects.  Within the specified objects the NAT configuration is applied.

This means that NAT configuration is now completely different from the traditional  “global” and “static” commands that we had been using in versions prior to 8.3.  Lets take a closer look at each of the three basic types of NAT.

Dynamic NAT: (Many to One)

cisco asa dynamic nat

Steps:

1-       Create object group.
2-       Define object IP Address or Subnet.
3-       Create NAT statement within object group.

object network INSIDE_LAN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface

Lets take a closer look!

object network INSIDE_LAN
Creates a network object called “INSIDE_LAN”

subnet 192.168.2.0 255.255.255.0
Defines the subnet or host IP Address for the object “INSIDE_LAN”

nat (inside,outside) dynamic interface

States that when traffic is entering the inside interface (ingress) and exiting the outside interface (egress) dynamically translate the IP address to the IP address of the egress interface.  In our case the outside interface IP address of 210.130.3.4 will be used.

Static NAT: (One to One)

cisco asa static nat

Steps:

1-       Create object group.
2-       Define object IP address.
3-       Create NAT statement within object group.

MORE READING:  How to Configure a Cisco ASA 5510 Firewall - Basic Configuration Tutorial

object network WEB_SERVER
host 192.168.3.10
nat (DMZ,outside) static 210.130.3.5

Again, lets dive a little deeper into the commands.

Object network WEB_SERVER
Creates a network object called “WEB_SERVER”.

host 192.168.3.10
Defines the host IP Address for the object “WEB_SERVER”.

nat (DMZ,outside) static 210.130.3.5
States that the host 192.168.3.10 sits behind the “DMZ” interface also known as the “Real Interface” and should be mapped to the “Outside Interface” known as the “Mapped Interface”.  When this happens host from the Internet can reach the WEB_SERVER object using the 210.130.3.5 IP address.

PAT (Port Address Translation):

Static nat with pat

Steps:

1-       Create object group.
2-       Define object IP address.
3-       Create NAT statement within object group.

object group WWW_SERVER
host 192.168.3.10
nat (DMZ,outside) static 210.130.3.4 service tcp 80 80

object group FTP_SERVER
host 192.168.3.11
nat (DMZ,outside) static 210.130.3.4 service tcp 21 21

Once more, lets take a closer look at the configuration.

object group WWW_SERVER
Creates an object group for our web server named “WWW_SERVER”.

host 192.168.3.10
Defines the real IP address for the object “WWW_SERVER”.

nat (DMZ,outside) static 210.130.3.4 service tcp 80 80
States that traffic from the outside destined to 210.130.3.4 on destination port 80 should be translated back to address 192.168.3.10 using the same destination port of 80 (http).

object group FTP_SERVER
Creates an object group for our FTP server named “FTP_SERVER”.

host 192.168.3.11
Defines the real IP address for the object “FTP_SERVER”.

nat (DMZ,outside) static 210.130.3.4 service tcp 21 21
States that traffic from the outside destined to 210.130.3.4 on destination port 21 should be translated back to address 192.168.3.11 using the same destination port of 21 (ftp).

Verification Commands:

Show object-group
Shows all object groups within the running configuration.

Show run nat
Shows all NAT configurations within the running config.

Show nat

Show the NAT table within the ASA.  The NAT table will be used during traffic processing to check for matching NAT statements.  The table is checked in sequential order going from top down.  The “show nat” command will also show how many times a “nat’ed” address has been hit.

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Hanson G Jolo says

    I am using Virl/VMware Workstation Player to do most of my labs; I was getting errors trying to configure Nat using Object Group. I will follow this example online to see if it is going to make a difference. I am using your book “Cisco ASA Firewall, Fundamentals -3rd Edition.” but the Virl lab is not taking the commands from the book when I tried to do the object group lab.
    Thank you very much! Your book is simple to read and to understand, my only problem now is creating the Nat Object Group.

  2. Harris Andrea says

    Hanson, thanks for your comment. Sometimes virtual devices on Virl do not have all the capabilities and command support of real devices. Maybe try to see if the specific command or syntax exist on the device by using the question mark (?) when typing the command.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx