object grouping

对事件东西进行归类。

老式的配置方法,配置非常繁琐,配置量大

可以对4种类型的object进行归类

protocols(inside_protocols)

tcp

udp

networks and hosts(inside_host)

subnet 10.0.0.0/24

10.0.1.11

10.0.2.11

services(dmz_services)

http

https

ftp

icmp(ping)

echo

echo-reply

对网络进行归纳例子:

object-group network dmz_server

network-object host 192.168.1.1

network-object host 192.168.1.10

network-object host 192.168.1.19

network-object 192.168.1.0 255.255.255.0

access-list  dmz permit tcp any object-group dmz_server

对协议进行归纳例子:

object-group protocol pro

protocol-object ospf

protocol-object eigrp

protocol-object gre

protocol-object tcp

protocol-object udp

access-list ddd permit object pro any any

对服务进行归纳例子:

object-group service ser tcp

port-subject qe 23

port-subject qe 25

port-subject qe 21

port-subject qe 80

port-subject qe 22(ssh)

port-subject qe 443(https)

access-list ww permit tcp any any object dmz_server object ser

对icmp进行归纳例子:

object-group icmp-type icmp

icmp-object echo

icmp-object redirect

icmp-object echo-replyicmp-object time-exceeded

access-list yy permit icmp any any object-group icmp

object-group联合用

object-group network inside eng

network-object host 10.0.0.1

network-object host 10.0.0.2

object-group network inside_mktg

network-object host 10.0.1.1

network-object host 10.0.1.2

object-group network inside_networks

group-object inside_eng

group-object inside_mktg