ASA防火墙之居于object-group的ACL配置实例

object-group的ACL配置实例

本篇介绍一下对象组的ACL放行策略，可以将多个不同的流量进行捆版式的放行，也可以相互嵌套，综合使用。

拓扑实验（中间模拟ASA）

需求：放行outside（192.168.150.100）网络去往内部服务器（192.168.106.0/24，这里用192.168.106.1-3来做组）的(TFP/ESP/DNS/ICMP)流量。
配置如下：
ASA(config)#object-group network inside-network //创建网络组
ASA(config-network-object-group)# network-object host 192.168.106.1
ASA(config-network-object-group)# network-object host 192.168.106.2
ASA(config-network-object-group)# network-object host 192.168.106.3
ASA(config)# object-group service inside-server //创建服务器组
ASA(config-service-object-group)# service-object tcp destination eq ftp
ASA(config-service-object-group)# service-object esp
ASA(config-service-object-group)# service-object tcp destination eq 53
ASA(config-service-object-group)# service-object icmp
ASA(config)#access-list object permit object-group inside-server host 192.168.150.100 object-group inside-network
ASA(config)#access-group object in interface outside //接口调用

配置之后查看如下，
配置如下：
ASA(config)#object-group network inside-network //创建网络组
ASA(config-network-object-group)# network-object host 192.168.106.1
ASA(config-network-object-group)# network-object host 192.168.106.2
ASA(config-network-object-group)# network-object host 192.168.106.3
ASA(config)# object-group service inside-server //创建服务器组
ASA(config-service-object-group)# service-object tcp destination eq ftp
ASA(config-service-object-group)# service-object esp
ASA(config-service-object-group)# service-object tcp destination eq 53
ASA(config-service-object-group)# service-object icmp
ASA(config)#access-list object permit object-group inside-server host 192.168.150.100 object-group inside-network
ASA(config)#access-group object in interface outside //接口调用

配置之后查看如下，可以看出，我们只写了一条策略，但是通过调用对象组，使得产生了多条相互交叉的策略。

最后

不喜勿喷，感谢观看。