(转)防火墙上的object-group命令实际应用。 (2010-11-11 10:03:53)

RLooo的博客：http://blog.sina.com.cn/s/blog_59879e3a0100o5w1.html

使用object-group 能大大简化配置工作量，很实用。

防火墙上的配置：

object-group service gjlyd tcp
  description used for hai nai guo ji lv you dao server
  port-object eq 445
  port-object eq ftp
  port-object eq 3389
  port-object eq www
  port-object eq 8080
  port-object eq 1433
object-group network gjlydser
  network-object host 10.9.2.66
  network-object host 10.9.2.67
  network-object host 10.9.2.68

access-list inside permit tcp host 10.2.57.67 object-group gjlydser object-group gjlyd
access-list inside permit tcp host 10.2.57.151 object-group gjlydser object-group gjlyd

输出：（看着很爽）

access-list inside line 494 permit tcp host 10.2.57.67 object-group gjlydser object-group gjlyd
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.66 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.66 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.66 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.66 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.66 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.66 eq 1433 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.67 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.67 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.67 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.67 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.67 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.67 eq 1433 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.68 eq 445 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.68 eq ftp (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.68 eq 3389 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.68 eq www (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.68 eq 8080 (hitcnt=0)
access-list inside line 494 permit tcp host 10.2.57.67 host 10.9.2.68 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 object-group gjlydser object-group gjlyd
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.66 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.66 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.66 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.66 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.66 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.66 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.67 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.67 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.67 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.67 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.67 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.67 eq 1433 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.68 eq 445 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.68 eq ftp (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.68 eq 3389 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.68 eq www (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.68 eq 8080 (hitcnt=0)
access-list inside line 495 permit tcp host 10.2.57.151 host 10.9.2.68 eq 1433 (hitcnt=0)