Service Article Groups
A account article accumulation is a accumulation of TCP or UDP anchorage numbers. Account object
groups can be acclimated in abode of the anchorage constant in an admission account or a conduit.
The syntax to actualize a account article accumulation is as follows:
object-group account
Since a account article accumulation lists ports and anchorage ranges, they charge to be configured
as TCP, UDP, or both.The tcp, udp, and tcp-udp keywords ascertain the
common IP agreement for all ports listed in the article group.The subconfiguration
command to abide the account article accumulation with a distinct anchorage is:
port-object eq
The subconfiguration command syntax to abide the account article group
with a ambit of ports is:
port-object ambit
The afterward article accumulation defines a accumulation of ports that all Web servers
within in alignment charge to accept opened on the firewall:
PIX1(config)# object-group account websrv-grp tcp
PIX1(config-service)# description Ports bare on accessible web servers
PIX1(config-service)# port-object eq 80
PIX1(config-service)# port-object eq 8080
PIX1(config-service)# port-object ambit 9000 9010
www.syngress.com
Passing Traffic • Chapter 3 121
To verify that an article accumulation was created and busy with the correct
information, we can appearance the accepted article accumulation agreement application the show
object-group command:
PIX1# appearance object-group
object-group icmp-type icmp-grp
description: ICMP Blazon accustomed into the PIX
icmp-object echo-reply
icmp-object unreachable
object-group arrangement net-grp
description: Account of Accessible HTTP Servers
network-object host 192.168.1.10
network-object host 172.16.10.1
network-object 172.16.2.0 255.255.255.0
object-group agreement vpn-grp
description: Protocols accustomed for VPN Access
protocol-object ah
protocol-object gre
protocol-object esp
object-group account websrv-grp tcp
description: Ports bare on accessible web servers
port-object eq www
port-object eq 8080
port-object ambit 9000 9010
If one of the article groups does not attending actual or is not needed, it can be
removed application the no object-group
While article groups can be acclimated in admission lists and conduits, they charge be
preceded by the object-group keyword.To acquiesce the ICMP blazon ethics authentic in
the icmp-grp article group, the access-list command is:
PIX1(config)# access-list icmp_in admittance icmp any any object-group icmp-grp
To acquiesce admission to the Web servers authentic in the net-grp on the ports defined
in websrv-grp, the command is:
PIX1(config)# access-list outside_in admittance tcp any object-group net-grp
object-group websrv-grp
www.syngress.com
122 Chapter 3 • Passing Traffic
One nice affection of article groups is that they can backup article groups of the
same type. For example:
PIX1(config)# object-group arrangement all-servers
PIX1(config-network)# group-object net-grp
PIX1(config-network)# network-object 172.16.3.0 255.255.255.0