ASA Object-group network addresses

fsebera · ‎08-23-2016

The following hosts need to be included in an ASA ACL running IOS 9.5. Can I summarized these hosts into several network statements as shown below?

Hosts to be included in the ACL:

10.1.6.101

10.1.6.104
10.1.6.105
10.1.6.106
10.1.6.107
10.1.6.108
10.1.6.109
10.1.6.110
10.1.6.111

10.1.6.136
10.1.6.137
10.1.6.138
10.1.6.139

10.1.6.140
10.1.6.141

object-group network HOSTS-BB
network-object host 10.1.6.101
network-object 10.1.6.104 255.255.255.248
network-object 10.1.6.136 255.255.255.252
network-object 10.1.6.140 255.255.255.254

Thank you

Frank

fsebera · ‎08-26-2016

Confirmed this works.

Interesting in the fact that the ASA OS doesn't check nor verify overriding entries.

Example, both configs are accepted and function on a first match basis.

object-group network HOSTS-BB
network-object host 10.1.6.101
network-object 10.1.6.104 255.255.255.248
network-object host 10.1.6.104

object-group network HOSTS-BB
network-object host 10.1.6.101
network-object host 10.1.6.104
network-object 10.1.6.104 255.255.255.248