Remove access-list line Cisco ASA

I need to modify existing configuration of the CISCO ASA. While analyzing the configuration I noticed something that looks redundant to me. I would like to see if somebody can confirm my doubts.

access-list LANA_access_in extended permit ip any any log debugging inactive access-list LANA_access_in extended permit icmp any any log debugging inactive access-list LANA_access_in extended permit icmp 172.12.10.0 255.255.255.0 10.5.83.0 255.255.255.0 access-list LANA_access_in extended permit ip 172.12.10.0 255.255.255.0 10.5.83.0 255.255.255.0 ... access-group LANA_access_in in interface LAN_A_Lan

Am I right that after the first two lines, second two lines are completely redundant?

And to make things even better there is this part of config

access-list global_access extended permit ip any any log debugging inactive access-list global_access extended permit icmp any any log debugging inactive ... access-group global_access global

If I understand correctly, this will allow all ingress traffic on all ports, and previously mentioned two specific lines are "double" redundant.

Are my assumptions correct?

Object and Object groups are reusable constructs, and helps to:

• Maintain configuration consistency.
• Declutter the run/start config.
• Manage lengthy entries in one place.

ASAv10[config]# object-group ? configure mode commands/options:   icmp-type  Specifies a group of ICMP types, such as echo   network    Specifies a group of host or subnet IP addresses   protocol   Specifies a group of protocols, such as TCP, etc   security   Specifies identity attributes such as security-group   service    Specifies a group of TCP/UDP ports/services   user       Specifies single user, local or import user group

NETWORK

The network object group can reference IP Networks, Hosts, or an already defined object with the "object network" command.

The object-group network supports nesting of other group-objects however they must be the same type.

PROTOCOL

The protocol object group is used to identify ONLY IP protocols [tcp, udp, esp, ah, ...]

ASAv10[config-protocol-object-group]# ?   description      Specify description text   group-object     Configure an object group as an object   help             Help for protocol object-group configuration commands   no               Remove an object or description from object-group   protocol-object  Configure a protocol object  

SERVICE

The most confusing one, because it includes protocols, ports, and imply the direction of the flow.

Note that the option are NOT the same depending of which sub-level we are in.

ASAv10[config]# object-group service SRV ? configure mode commands/options:   tcp      Specifies this object-group is for TCP protocol only   tcp-udp  Specifies this object-group is for both TCP & UDP   udp      Specifies this object-group is for UDP protocol only  

For the option tcp, tcp-udp and udp we have the following:

ASAv10[config]# object-group service SRV tcp ASAv10[config-service-object-group]# ?   port-object   Configure a port object

If we do not specify the protocol we get the following:

ASAv10[config]# object-group service SRV ASAv10[config-service-object-group]# ?   service-object  Configure a service object

It is important to remember that there is a difference [port-object VS service-object] , because the placement and behaviour of the object-group in the ACL is not the same!!! [We will discuss it further down.]

Appllication of object group to the ACL

Let's consider a simple topology, where the objective is to telnet from the loopback of R1 to SW1 SVI interface.

First, we define the network objects and the object group networks.

ASAv10[config]# object network R1_NETWORK ASAv10[config-network-object]# range 10.0.4.70 10.0.4.75      ASAv10[config]# object-group network R1_NETWORK_GROUP ASAv10[config-network-object-group]# network-object object R1_NETWORK    

The network object created can be referenced to, in the object-group. Note that we can have multiple objects in the network group which is NOT the case in the object network [only one statement].

Now let's define the object-group for the Switch SVI using the 'host' keyword:

ASAv10[config]# object-group network SW_SVI ASAv10[config-network-object-group]# network-object host 10.0.1.2    

Defining a service group using the TCP Option

ASAv10[config]# object-group service TELNET tcp ASAv10[config-service-object-group]# port-object eq telnet    

The two command above creats a tcp service for the port 23. Note that in the sub-level there is NO specification of the protocol [because already set to tcp] and more important no specification of the source or destination.

Now let's configure the ACL and apply it to the OUTSIDE interface.

ASAv10[config]# access-list TELNET_ACCESS extended permit tcp object-group R1_NETWORK_GROUP object-group SW_SVI object-group TELNET ASAv10[config]# access-group TELNET_ACCESS in interface OUTSIDE    

We created an Access-list named TELNET_ACCESS which will permit any tcp connection from the group named R1_NETWORK_GROUP if the destination is the group SW_SVI and the DESTINATION port [to the SW_SVI] is in the group TELNET.

NOTE: We have to specify 'permit tcp' in the ACL, because it is not defined in the service group TELNET.

Question: What will happen if we enter 'permit udp' insted of 'permit tcp' ?

ASAv10[config]# access-list TELNET_ACCESS extended permit udp object-group R1_NETWORK_GROUP object-group SW_SVI object-group TELNET Specified protocol and service object group [TELNET] are inconsistent    

ASA is complaining that the protocol and the service are not compatible, which is logic.

Lets go a bit further:

What if we CHANGE the 'permit tcp' to a protocol object group:

ASAv10[config]# object-group protocol PROTO ASAv10[config-protocol-object-group]# protocol-object tcp    

Now the ACL will be as follow:

ASAv10[config]# access-list TELNET_ACCESS extended permit object-group PROTO object-group R1_NETWORK_GROUP object-group SW_SVI object-group TELNET

Here we have it, BUT what if we define tcp and udp [or any other IP protocol] inside the object group PROTO ?

ASAv10[config]# object-group protocol PROTO ASAv10[config-protocol-object-group]# protocol-object udp ASAv10[config-protocol-object-group]# sh object-group object-group protocol PROTO  protocol-object tcp  protocol-object udp      ASAv10[config]# access-list TELNET_ACCESS extended permit object-group PROTO object-group R1_NETWORK_GROUP object-group SW_SVI object-group TELNET Specified protocol and service object group [TELNET] are inconsistent    

NOP, ASA doesn't take it. WHY is that? Simple, because object group TELNET is defined as a tcp construct. Let's confirm that by modifying the object group TELNET form tcp to tcp-udp.

ASAv10[config]# no object-group service TELNET tcp ASAv10[config]# object-group service TELNET tcp-udp ASAv10[config-service-object-group]# port-object eq 23 ASAv10[config]# access-list TELNET_ACCESS extended permit object-group PROTO object-group R1_NETWORK_GROUP object-group SW_SVI object-group TELNET ASAv10[config]#    

As expected, ASA took the ACL configuration because the object group TELNET is now defined to support both TCP and UDP.

The behaviour of ASA is the same for tcp, udp and tcp-udp options. To resume:

• The protocol to use must be specified.
• The protocol and service must match.
• The placement of the object group will define if it is the source or destination port/ports.

Defining a service group with NO Option

We will use the same object groups, the only difference will be in the service object group TELNET.

ASAv10[config]# object-group service TELNET ASAv10[config-service-object-group]# ?   description     Specify description text   group-object    Configure an object group as an object   help            Help for service object-group configuration commands   no              Remove an object or description from object-group   service-object  Configure a service object