We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 557 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

317 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Notable Replies

  1. Thanks Rene,

    I got that but a doubt strike me - lets start with the below configuration:

    network object  TEST1
    subnet 10.0.0.42.0 255.255.255.0

    object-group network dmz
    ASA-FW01(config-network-object-group)?
      
      description     Specify description text
      group-object    Configure an object group as an object
      help            Help for network object-group configuration commands
      network-object  Configure a network object
      no              Remove an object or description from object-group

    ASA-FW01(config-network-object-group) network-object ?
    
      network-object-group mode commands/options:
      Hostname or A.B.C.D  Enter an IPv4 network address
      X:X:X:X::X/<0-128>   Enter an IPv6 prefix
      host                 Enter this keyword to specify a single host object
      object               Enter this keyword to specify a network object
    
    FW01(config-network-object-group)# network-object 10.0.32.0 255.255.255.0  
    FW01(config-network-object-group)# network-object object TEST1

    So my question is when I can populate the group with this command -- network-object 10.0.32.0 255.255.255.0 -- why should I create a network-object TEST1 and then place this object-network under the group as FW01(config-network-object-group)
    network-object object TEST1

  2. Hi Asi,

    You don't have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:

    ASA# show run | incl access-list VIRL
    access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS

    The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:

    ASA# show access-list VIRL      
    access-list VIRL; 12 elements; name hash: 0xa226aadb
    access-list VIRL line 1 extended permit tcp any object VIRL object-group VIRL_PORTS (hitcnt=5339) 0x34bff8c2 
      access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19399 (hitcnt=5339) 0x10a4e819 
      access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19401 (hitcnt=0) 0x28d7ccd3 
      access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19402 (hitcnt=0) 0xbd35246b 
      access-list VIRL line 1 extended permit tcp any host 192.168.1.1 range 17000 18000 (hitcnt=1) 0xe834b3a3 
      access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq www (hitcnt=44) 0x9ba2364f 
      access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19400 (hitcnt=0) 0x5a336e3c

    By using object-groups, you can make your access-lists shorter and much easier to read.

    Rene

  3. Rene, first I created two object groups:

    object-group network guest.net.obj 
     description Guest IP Addresses
     range 20.1.1.50 20.1.1.254
    !
    object-group service guest.svc.obj 
     description Guest Services
     tcp eq 443
     tcp eq pop3
     tcp eq www
     udp eq domain
     tcp eq 67
     tcp eq 143
     tcp eq 993
     tcp eq 995
     tcp eq smtp

    I then added these object groups to an ACL in the incorrect order:

    R1842(config-ext-nacl)#permit object-group guest.net.obj object-group guest.svc.obj any 
    Object group type mismatch                                                         ^
    % Invalid input detected at '^' marker.

    Going back a step:

    R1842(config-ext-nacl)#permit object-group ?
      WORD Service object group name

    Adding them in the correct order:

    R1842(config-ext-nacl)#permit object-group guest.svc.obj object-group guest.net.obj any
    R1842(config-ext-nacl)#

    It seems with routers that the service object-group must be added before the network object-group. This caused me great frustration when I first started using object-groups. My router is an 1841 running c1841-adventerprisek9-mz.151-4.M10.bin

  4. Hi Jeff,

    These can be difficult to read if you find them in the running configuration. If you use the show access-list command, you can see the exact statements that are in effect. For example:

    access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

    Looks like:

    ASA1(config)# show access-list Access_in
    access-list Access_in; 24 elements; name hash: 0x49ffabc6
    access-list Access_in line 1 extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log informational interval 300 (hitcnt=0) 0x20b02f98 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x7003edd0 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0xa57780eb 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x2635cf29 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0x9d5c28eb 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xb6038e1e 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xe1b23888 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0x3e748362 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0x013364af 
      access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xbefad335 
      access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xf5b22b90 
      access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xa6e822bb 
      access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xabd4e176 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xcccf50dd 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xd92fc437 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x848377f0 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc0e4b258 
      access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x1b0e1b45 
      access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc3caafb1 
      access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xacf16561 
      access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xbe05fae2 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0x83280655 
      access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xde224e26 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0xf97b1cec 
      access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xcbbd37bd

    Here are the two object-groups that I created for this example:

    ASA1(config)# show run object-group | begin My_hosts  
    object-group network My_hosts_1
     network-object host 192.168.1.1
     network-object host 192.168.1.2
    object-group network My_hosts_2
     network-object host 192.168.1.3
     network-object host 192.168.1.4

    Rene

  5. Hi Rene

    this can also be done via ASDM?
    I work on Palo Alto FW and Netscreen adn I found using GUI is easier than CLI for me.

    Thank you

Continue the discussion forum.networklessons.com

12 more replies

Participants