https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005547#M939651 <HTML><HEAD></HEAD><BODY><P>acbenny,</P><P></P><P>Object groups are extremely easy. You just have to have and idea of how you want your ACLs to look. Object groups are just cosmetic when it comes down to it.</P><P></P><P>Just for the sake of putting it out there, you can create a few different types of object groups. They are: ICMP-Type, Network, Protocol, and Service. You can also do what is called nesting, but only with similar object group types.</P><P> </P><P>You'll first start by creating one. Below is an example: </P><P>** This is if you have any systems pre-configured to names</P><P>(config)#names</P><P>(config)#name 10.1.1.10 myFTPserver</P><P></P><P>(config)#object-group network ftp_servers</P><P></P><P>(config-network)#network-object host 10.1.1.14</P><P>(config-network)#network-object host myFTPserver</P><P></P><P>(config-network)#network-object 10.1.1.32 255.255.255.224</P><P>(config-network)#exit</P><P></P><P>Once you've created your object group, you will need to use it within your ACL. It will look something like this:</P><P></P><P>(config)#access-list 101 permit ip any object-group ftp_servers</P><P></P><P>if you only want a specific protocol, say these are associated to FTP, then you should specify it.</P><P></P><P>(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp</P><P></P><P>I hope this assists.</P><P></P><P>As an FYI, I'm just taking this straight from the cisco documentation: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml</A></P><P></P><P></P></BODY></HTML> Mon, 07 Apr 2008 11:55:32 GMT chickman 2008-04-07T11:55:32Z https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005545#M939643 <P>Hi all,</P><P></P><P>The method to create network object make me quite confuse that if I create network object by ASDM, it is success. But if I use CLI in create network object, it seems fail. Attach is the screen dump for your reference. Any one has idea ? Thank you !</P> Mon, 11 Mar 2019 12:28:05 GMT https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005545#M939643 acbenny 2019-03-11T12:28:05Z https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005546#M939645 <HTML><HEAD></HEAD><BODY><P>Attachment</P><P></P><P> </P><P></P></BODY></HTML> Mon, 07 Apr 2008 06:07:17 GMT https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005546#M939645 acbenny 2008-04-07T06:07:17Z https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005547#M939651 <HTML><HEAD></HEAD><BODY><P>acbenny,</P><P></P><P>Object groups are extremely easy. You just have to have and idea of how you want your ACLs to look. Object groups are just cosmetic when it comes down to it.</P><P></P><P>Just for the sake of putting it out there, you can create a few different types of object groups. They are: ICMP-Type, Network, Protocol, and Service. You can also do what is called nesting, but only with similar object group types.</P><P> </P><P>You'll first start by creating one. Below is an example: </P><P>** This is if you have any systems pre-configured to names</P><P>(config)#names</P><P>(config)#name 10.1.1.10 myFTPserver</P><P></P><P>(config)#object-group network ftp_servers</P><P></P><P>(config-network)#network-object host 10.1.1.14</P><P>(config-network)#network-object host myFTPserver</P><P></P><P>(config-network)#network-object 10.1.1.32 255.255.255.224</P><P>(config-network)#exit</P><P></P><P>Once you've created your object group, you will need to use it within your ACL. It will look something like this:</P><P></P><P>(config)#access-list 101 permit ip any object-group ftp_servers</P><P></P><P>if you only want a specific protocol, say these are associated to FTP, then you should specify it.</P><P></P><P>(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp</P><P></P><P>I hope this assists.</P><P></P><P>As an FYI, I'm just taking this straight from the cisco documentation: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml</A></P><P></P><P></P></BODY></HTML> Mon, 07 Apr 2008 11:55:32 GMT https://community.cisco.com/t5/network-security/create-network-object-in-asa/m-p/1005547#M939651 chickman 2008-04-07T11:55:32Z