https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599381#M595609 <P>Per my understanding you define a network object group and&nbsp; then you can issue a single command using the group name to apply to every item in the group.</P><P></P><P>object-group network NETWORK<BR /> network-object 10.40.0.0 255.254.0.0<BR /> network-object 10.41.0.0 255.254.0.0<BR /> network-object 10.42.0.0 255.254.0.0</P><P></P><P>We can support <!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--><SPAN style="font-size: 11pt; font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;; color: #1f497d;">393210 Hosts (total) with the above configuration. <BR /></SPAN></P><P></P><P>What I am not sure is:</P><P>- If 10.40, .41 and .42 available at the same time?</P><P>- Can 1 host get 10.<STRONG>40</STRONG>.10.1 and the other host get 10.<STRONG>41</STRONG>.10.1 address?</P><P>- Or, all the hosts (roughly 131070) are first given address from 10.40.xx.xx space and additional hosts will be given 10.41.xx.xx etc.</P><P></P><P>I am new to configuring ASAs. We have 2 ASAs configured in Active/Active failover scenario.</P><P></P><P>-NG</P> Mon, 11 Mar 2019 19:29:25 GMT gnaveen 2019-03-11T19:29:25Z https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599381#M595609 <P>Per my understanding you define a network object group and&nbsp; then you can issue a single command using the group name to apply to every item in the group.</P><P></P><P>object-group network NETWORK<BR /> network-object 10.40.0.0 255.254.0.0<BR /> network-object 10.41.0.0 255.254.0.0<BR /> network-object 10.42.0.0 255.254.0.0</P><P></P><P>We can support <!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--><SPAN style="font-size: 11pt; font-family: &amp;quot;Calibri&amp;quot;,&amp;quot;sans-serif&amp;quot;; color: #1f497d;">393210 Hosts (total) with the above configuration. <BR /></SPAN></P><P></P><P>What I am not sure is:</P><P>- If 10.40, .41 and .42 available at the same time?</P><P>- Can 1 host get 10.<STRONG>40</STRONG>.10.1 and the other host get 10.<STRONG>41</STRONG>.10.1 address?</P><P>- Or, all the hosts (roughly 131070) are first given address from 10.40.xx.xx space and additional hosts will be given 10.41.xx.xx etc.</P><P></P><P>I am new to configuring ASAs. We have 2 ASAs configured in Active/Active failover scenario.</P><P></P><P>-NG</P> Mon, 11 Mar 2019 19:29:25 GMT https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599381#M595609 gnaveen 2019-03-11T19:29:25Z https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599382#M595610 <HTML><HEAD></HEAD><BODY><P>Where are you using this object-group in your configuration?</P><P>When configuring ACL, when configuration NAT, when configuring MPF?</P><P></P><P>If you have an access-list like this</P><P>access-list inside-acl permit tcp object-group Network any eq 80</P><P></P><P>This will allow every single host in that object-group (all three networks) to go any where destined to port 80.</P><P></P><P><SPAN>You can see nice example here: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml</A></P><P></P><P>-KS</P></BODY></HTML> Fri, 31 Dec 2010 21:11:59 GMT https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599382#M595610 Kureli Sankar 2010-12-31T21:11:59Z https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599383#M595612 <HTML><HEAD></HEAD><BODY><P>!<BR />object-group network A_inside<BR /> network-object 10.38.1.0 255.255.255.0<BR />object-group network NETWORK<BR /> network-object 10.40.0.0 255.254.0.0<BR /> network-object 10.41.0.0 255.254.0.0<BR /> network-object 10.42.0.0 255.254.0.0<BR />!<BR />access-list VPN extended permit ip object-group A_inside object-group NETWORK <BR />access-list VPN extended permit ip host 172.25.40.xxx object-group NETWORK <BR />!</P></BODY></HTML> Sat, 01 Jan 2011 02:38:51 GMT https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599383#M595612 gnaveen 2011-01-01T02:38:51Z https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599384#M595613 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I assume the above ACL "VPN" is used as a crypto ACL for a VPN tunnel. In this case, all hosts in the 10.38.1.0/24 network and the host 172.25.40.xxx will be able to reach all the hosts in the 3 networks in object-group NETWORK.</P><P></P><P>Hope that answers your question.</P><P></P><P>Cheers,</P><P>Prapanch</P></BODY></HTML> Sat, 01 Jan 2011 13:33:34 GMT https://community.cisco.com/t5/network-security/understanding-network-object-group/m-p/1599384#M595613 praprama 2011-01-01T13:33:34Z