We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • [geot exclude_region="No Trial" ] Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career![/geot]
  • Full Access to our 541 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


288 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Notable Replies

  1. Thanks Rene,

    I got that but a doubt strike me - lets start with the below configuration:

    network object  TEST1

    object-group network dmz
      description     Specify description text
      group-object    Configure an object group as an object
      help            Help for network object-group configuration commands
      network-object  Configure a network object
      no              Remove an object or description from object-group

    ASA-FW01(config-network-object-group) network-object ?
      network-object-group mode commands/options:
      Hostname or A.B.C.D  Enter an IPv4 network address
      X:X:X:X::X/<0-128>   Enter an IPv6 prefix
      host                 Enter this keyword to specify a single host object
      object               Enter this keyword to specify a network object
    FW01(config-network-object-group)# network-object  
    FW01(config-network-object-group)# network-object object TEST1

    So my question is when I can populate the group with this command -- network-object -- why should I create a network-object TEST1 and then place this object-network under the group as FW01(config-network-object-group)
    network-object object TEST1

  2. Hi Asi,

    You don't have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:

    ASA# show run | incl access-list VIRL
    access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS

    The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:

    ASA# show access-list VIRL      
    access-list VIRL; 12 elements; name hash: 0xa226aadb
    access-list VIRL line 1 extended permit tcp any object VIRL object-group VIRL_PORTS (hitcnt=5339) 0x34bff8c2 
      access-list VIRL line 1 extended permit tcp any host eq 19399 (hitcnt=5339) 0x10a4e819 
      access-list VIRL line 1 extended permit tcp any host eq 19401 (hitcnt=0) 0x28d7ccd3 
      access-list VIRL line 1 extended permit tcp any host eq 19402 (hitcnt=0) 0xbd35246b 
      access-list VIRL line 1 extended permit tcp any host range 17000 18000 (hitcnt=1) 0xe834b3a3 
      access-list VIRL line 1 extended permit tcp any host eq www (hitcnt=44) 0x9ba2364f 
      access-list VIRL line 1 extended permit tcp any host eq 19400 (hitcnt=0) 0x5a336e3c

    By using object-groups, you can make your access-lists shorter and much easier to read.


  3. Rene, first I created two object groups:

    object-group network guest.net.obj 
     description Guest IP Addresses
    object-group service guest.svc.obj 
     description Guest Services
     tcp eq 443
     tcp eq pop3
     tcp eq www
     udp eq domain
     tcp eq 67
     tcp eq 143
     tcp eq 993
     tcp eq 995
     tcp eq smtp

    I then added these object groups to an ACL in the incorrect order:

    R1842(config-ext-nacl)#permit object-group guest.net.obj object-group guest.svc.obj any 
    Object group type mismatch                                                         ^
    % Invalid input detected at '^' marker.

    Going back a step:

    R1842(config-ext-nacl)#permit object-group ?
      WORD Service object group name

    Adding them in the correct order:

    R1842(config-ext-nacl)#permit object-group guest.svc.obj object-group guest.net.obj any

    It seems with routers that the service object-group must be added before the network object-group. This caused me great frustration when I first started using object-groups. My router is an 1841 running c1841-adventerprisek9-mz.151-4.M10.bin

  4. Hi Matt,

    I see what you mean. Normally the format of an extended access-list statement looks like this:

    So it kinda makes sense to use the service object group in the beginning since you specify the protocol with it. The big difference is that is also includes the port numbers which we normally end at the end of the statement.


  5. Hello Rene,

    I came across a couple of complex ACLs lately and it took me a while to figure out their meaning. I thought it would be worth mentioning some of these in your courses.

    object-group service MyProto
    service-object tcp destination eq 80
    service-object tcp-udp destination eq 9100
    service-object tcp-udp destination range 34322 34325
    service-object tcp source eq 389

    access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

    In that example, all services were listed together, including different protocols, destination port or source port. These allowed services were then used in access-lists, between source and destination host groups. The command formatting was really odd...


Continue the discussion forum.networklessons.com

12 more replies