topic Re: Deleting object id in Network Security

Deleting object id

mahesh18 — Tue, 12 Mar 2019 03:00:18 GMT

Hi Everyone,

When i run the command

sh run object-group id Test

network-object object 10.0.0.0

sh run object id 10.0.0.0

object network 10.0.0.0

subnet 10.0.0.0 255.0.0.0

Here i need to delete the object id 10.0.0 is there any way i can deleted this via some command

no object network 10.0.0.0?

or can i deleted like step below

config t

object-group network Test

no network-object object 10.0.0.0

Will the command above work ?

Regards

Mahesh

Message was edited by: mahesh parmar

Re: Deleting object id

Jouni Forss — Mon, 04 Nov 2013 23:04:23 GMT

Hi Mahesh,

So I guess you mean you have this configuration

object network 10.0.0.0

subnet 10.0.0.0 255.0.0.0

object-group network Test

network-object object 10.0.0.0

What is unclear to me is that do you want to remove the "object" from under the "object-group" ONLY or do you want to do what and ALSO remove the whole "object"?

If you want to remove the whole "object network 10.0.0.0" then you will have to do

object-group network Test

no network-object object 10.0.0.0

no object network 10.0.0.0

Do notice that IF this "object" is used in some configuration like ACL or NAT then the ASA wont let you remove it. So you should first check where this "object" is used to determine if its needed and then remove it if its useless.

But the above mentioned commands should be the one to achieve what you want which is remove the "object" from the "object-group" and then remove the whole "object".

The reason we remove the "object" from under the "object-group" first is because otherwise (to my understanding atleast) the ASA wont allow you to remove the "object" since its in use by other configuration.

Hope this made sense and helped

- Jouni

Deleting object id

mahesh18 — Tue, 05 Nov 2013 01:03:42 GMT

Hi Jouni,

Here is my plan what i need to do without causing outage

sh run object-group id Test

network-object object 10.0.0.0 ---------------------1

i need to replace line 1 via below command

network-object 10.0.0. 255.0.0.0

so i do not know if i can simply remove network-object object 10.0.0.0 by using

no network-object object 10.0.0.0 or not?

when you say

What is unclear to me is that do you want to remove the "object" from under the "object-group"

ONLY or do you want to do what and ALSO remove the whole "object" ?

Can you please explain about this?

Regards

MAhesh

Deleting object id

Jouni Forss — Tue, 05 Nov 2013 08:04:53 GMT

Hi,

If you have the "object-group network Test"

object-group network Test

network-object object 10.0.0.0

and you want to replace the "object" inside it with a "network-object" statement that specifies the same network then you would do

object-group network Test

network-object 10.0.0.0 255.0.0.0

no network-object object 10.0.0.0

With the last thing you ask I simply meant to ask if you ONLY wanted to remove the "object 10.0.0.0" from under the "object-group network Test" OR did you additionally want to also remove the "object network 10.0.0.0" completely from the ASA?

The main things you should do when doing any such changes is to first check where these "object-group" and "object" configurations are used. In general if you have these used in interface ACLs then these type of changes should be safe. If they "object" or "object-group" were used in some NAT configurations then I couldnt say with 100% certainty how such changes would affect on the NAT operation (even if it was just temporary effect during the change)

- Jouni

Deleting object id

mahesh18 — Tue, 05 Nov 2013 16:57:04 GMT

Hi Jouni,

I will test this on monday then will let you know how it goes.

Regards

MAhesh

Deleting object id

mahesh18 — Tue, 12 Nov 2013 17:00:05 GMT

Hi Jouni,

I did below change yesterday

object-group network Test

network-object 10.0.0.0 255.0.0.0

no network-object object 10.0.0.0

After the above change there was no issues.

However i did not delete the object id 10.0.0.0??

Regards

Mahesh

Deleting object id

Jouni Forss — Tue, 12 Nov 2013 17:04:03 GMT

Hi Mahesh,

With the above commands you mentioned you only removed the "object" called "10.0.0.0" from under the "object-group" called "Test".

If you wished to remove the whole "object network 10.0.0.0" then you would have to issue the command

no object network 10.0.0.0

But it must not be used anywhere for you to be able to remove it. Though the ASA should notify you if you have it configured in some ACL or other configuration when you are attempting to remove the actual "object".

- Jouni

Deleting object id

mahesh18 — Tue, 12 Nov 2013 18:01:44 GMT

Hi Jouni,

Thanks for additional info.

For now i am ok with current config.

In future if i need to delete whole object network 10.0.0.0 i will do as you said.

Best regards

MAhesh