Поиск по этому блогу

23.04.2009

ACL Object-group на маршрутизаторах Cisco

Точно не скажу, но с версии IOS 12.4(20)T появилась возможность создавать группы для access-list'ов, как это было реализовано давным давно в cisco pix. Работает пока не все!
Пример с маршрутизатора:
object-group network east.net
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
!
object-group network west.net
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
!
object-group network west.srv
host 192.168.2.241
host 192.168.2.242
host 192.168.2.243
!
object-group service winports
group-object winports.tcp
group-object winports.udp
!
object-group service winports.tcp
tcp range 135 139
tcp eq 445
!
object-group service winports.udp
udp range 135 netbios-ss
!
ip access-list extended uplink.in
permit ip any object-group west.srv
deny tcp any object-group west.net eq 445
deny tcp any object-group west.net range 135 139
deny udp any object-group west.net range 135 netbios-ss
permit ip any object-group west.net
deny tcp any object-group east.net eq 445
deny tcp any object-group east.net range 135 139
deny udp any object-group east.net range 135 netbios-ss
permit ip any object-group east.net
ip access-list extended uplink.out
permit ip object-group west.srv any
deny tcp object-group west.net any eq 445
deny tcp object-group west.net any range 135 139
deny udp object-group west.net any range 135 netbios-ss
permit ip object-group west.net any
deny tcp object-group east.net any eq 445
deny tcp object-group east.net any range 135 139
deny udp object-group east.net any range 135 netbios-ss
permit ip object-group east.net any
!
interface Serial0/0/0
ip access-group uplink.in in
ip access-group uplink.out out

Хочу обратить внимание, что в pix можно было сделать так:
deny  tcp object-group west.net any object-group winports.tcp
deny udp object-group west.net any object-group winports.udp

Поэтому две группы по привычке и создал. В ссылке на документацию (в начале) видим конструкцию как в pix:
Creating a Service Object Group: Example

The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects.

Router> enable
Router# configure terminal
Router(config)# object-group service my_service_object_group
Router(config-service-group)# icmp echo
Router(config-service-group)# tcp smtp
Router(config-service-group)# tcp telnet
Router(config-service-group)# tcp source range 1 65535 snmp
Router(config-service-group)# udp domain
Router(config-service-group)# tcp-udp range 2000 2005
Router(config-service-group)# group-object sjc_eng_svcs

Creating an Object Group-Based ACL: Example

The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group.

Router> enable
Router# configure terminal
Router(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit tcp object-group my_network_object_group object-group my_service_object_group any
Router(config-ext-nacl)# deny tcp any any
Router(config-ext-nacl)# exit
Router(config)# exit


Но на самом деле такое реализовать нельзя (12.4(22)T1). Возможности вставить service object group нет:
router(config-ext-nacl)#deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
object-group Source network object group

router(config-ext-nacl)#deny tcp object-group west.net ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
object-group Destination network object group
range Match only packets in the range of port numbers


3845-service(config-ext-nacl)#deny tcp object-group west.net object-group west.net ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
match-all Match if all specified flags are present
match-any Match if any specified flag is present
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
urg Match on the URG bit

Зато можно составить вот такую конструкцию:
router(config-ext-nacl)#deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
object-group Service object group
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol


ip access-list extended uplink.in
deny object-group winports any object-group west.net

Или такую:
ip access-list extended uplink.in
deny object-group winports.tcp any object-group west.net
deny object-group winports.udp any object-group west.net

Причем они будут блокировать все подряд, как будто бы это было вот так:
ip access-list extended uplink.in
deny tcp any object-group west.net
deny udp any object-group west.net