
3-28
Cisco PIX Firewall and VPN Configuration Guide
78-15033-01
Chapter 3 Controlling Network Access and Use
Simplifying Access Control with Object Grouping
Note The show config and write commands display the commands in the same way they are
configured.
Configuring Protocol Object Groups
This section describes the commands required to configure a protocol object group.
Enter the following command to enable the protocol object subcommand mode:
pix(config)# object-group protocol grp-id
Enter the following command to add a single protocol to the current protocol object group:
pix(config-protocol)# protocol-object protocol
Replace protocol with the numeric identifier of the specific IP protocol (1 to 254) or a literal keyword
identifier (icmp, tcp, or udp). If you wish to include all IP protocols, use the keyword ip.
Enter the following command to add the object group identified by grp-id to the current protocol object
group:
pix(config-protocol)# group-object grp-id
Configuring Network Object Groups
This section describes the commands required to configure a network object group.
Enter the following command to enable the network object subcommand mode:
pix(config)# object-group network grp-id
Enter the following command to add a single host name or IP address (with subnetwork mask) to the
current network object group:
pix(config-network)# network-object host host_addr | net_addr netmask
Replace host_addr with the IP address of the host you are adding to the group. Replace net_addr and
netmask with the network number and subnet mask for a subnetwork.
Enter the following command to add the object group identified by grp-id to the current protocol object
group:
pix(config-network)# group-object grp-id
Configuring Service Object Groups
This section describes the commands required to configure a service object group.
Enter the following command to enable the service object subcommand mode:
pix(config)# object-group service {tcp|udp|tcp-udp}
Komentáře k této Příručce