TABLE OF CONTENTS Introduced in 6.2, object grouping makes very complex ACLs much simpler to maintain and support. Object groups define groups of network addresses, services, protocols, and ICMP types, thereby reducing the number of ACL entries needed.
For example, to deny inside users access to a number of external FTP servers requires an ACL be defined for each individual FTP server. With object groups, a network object group containing a list of IP addresses of the FTP servers can be defined and applied. The ACL can then deny this network object group, rather than individual entries for each FTP server. The ACL does not need to be modified if entries are added or removed from the object group.
There are four types of object groups: icmp-type, protocol, network, and service. Each type corresponds to a field in the access-list or conduit command.
An ICMP-type object group is a group of ICMP-type numerical or literal values. ICMP-type object groups can replace the icmp-type parameter in an ACL or conduit ( object-group icmp-type
Once an object group has been defined, the subconfiguration mode enables the object group to be populated. An optional description can be specified using the description subcommand. To populate the ICMP-type object group, use the icmp-object
For example, the following object group defines ICMP-type values that will be filtered with an ACL or conduit.
PIX1(config)# <b class="bold">object-group icmp-type icmp-grp</b>PIX1(config-icmp-type)# <b class="bold">description ICMP Type allowed into...
