ASA-ACL-OBJECT-GR

=======  ASA MFP======

INGRESS:  MFP first, then ACL
EGRESS:  ACL first.


====================== ASA ACL Oject Groups ================

4 ways to group obj. groups.

1. protocol
      tcp, udp, esp , gre, etc

2. network
     ip add, subnet, etc

3.  service
      tcp port# and udp port#

4. icmp type
      echo, echo-reply, unreachable, etc.


example:

object-group network OUTSIDE_TRUSTED_HOSTS
    network-object host 200.0.0.1
    network-object host 200.0.0.2

object-group network PUBLICK_INSIDE_SERVERS
    network-object host 10.0.100
    network-object host 10.0.101

object-group service PUBLIC_INSIDE_SERVER_PORTS tcp
    port-object eq www
    port-object eq https
    port-object eq smtp

access-l 101 extended permit tcp object-group OUTSIDE_TRUSTED_HOSTS object-group PUBLIC_INSIDE_SERVERS object-group PUBLIC_INSIDE_SERVER_PORTS

access-l 101 extended permit tcp object-group "THE-SOURCE-IP" object-group "the-destination-IP" object-group "THE-DESTINATION-PORT#"

access-group 101 in interface outside


 This way don't need to do so many access-l to add additonal servers or add an outside host to access in.