The usage of object groups (network objects, service object etc) is becoming more popular on Cisco ASA firewalls especially with the new OS version 8.3(x). In this version, network object groups are used extensively for the configuration of NAT mechanisms in addition to other uses. In this post I will show a quick example of using network objects with access lists. In another post I will expand this to show how object groups are used with NAT as well.

Suppose we have a few Web servers located on a DMZ which are accessed from the Internet. We want to enable http (80) and https (443) access from internet towards these web servers.

Assume that we have configured static NAT for those web servers and translated their real private IP addresses to the following Public IP addresses:

Web Server1: 50.50.50.1
Web Server2: 50.50.50.2
Web Server3: 50.50.50.3

Configuration of access list using object groups:

! create a service group for the http and https protocols
object-group service http-protocols tcp
port-object eq 80
port-object eq 443

! create a network object group for the web servers
object-group network webservers
network-object host 50.50.50.1
network-object host 50.50.50.2
network-object host 50.50.50.3

! create the access list applied inbound on the outside interface
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols

access-group OUTSIDE-IN in interface outside

EDIT (ASA Versions after 8.3):

In newer ASA versions after 8.3, the access list must always reference the Real IP address of a host and NOT the translated IP address. So, in our example above, the “webservers” object-group must include the Real (private) IP addresses of the servers and not the translated public IP.

! create a network object group for the web servers with their Real private IP
object-group network webservers
network-object host 192.168.1.1
network-object host 192.168.1.2
network-object host 192.168.1.3

! create the access list applied inbound on the outside interface
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols

access-group OUTSIDE-IN in interface outside