Solved: Deleting Group object in ASA

mahesh18 · ‎10-31-2013

Hi Everyone,

Fw1 has say object group subnet1

Fw1#sh run object-group id subnet1

object-group network subnet1

group-object test

then i did

Fw1#sh run object-group id test

object-group network test

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

**************************************************************

Fw2#sh run object-group id subnet1

object-group network subnet1

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

Also Fw2 has

sh run object-group id test

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

My question is if i add the config below to Fw2

sh run object-group id subnet1

object-group network subnet1

group-object test

and then delete the below config from fw2

Fw2#sh run object-group id subnet1

object-group network subnet1

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

Will it make any difference in running config of fw2?

will it cause any outage?

Regards

Mahesh

Jouni Forss · ‎10-31-2013

Hi,

So if I understood you correctly then you have

FW1 with an "object-group" configured that contains inside it another "object-group"
FW2 with an "object-group" with 3 "network-object" statements which you want to remove and replace with a similiar "object-group" as in FW1

If this is true then I guess this is a similiar thing that you asked before.

You would have to have this already on FW2 or configure this on the FW2

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

You would then add this "object-group" under the other "object-group"

object-group network subnet1

group-object test

And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines

no network-object 10.0.0.0 255.0.0.0

no network-object 192.168.0.0 255.255.0.0

no network-object 172.16.0.0 255.240.0.0

With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.

Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.

I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.

- Jouni

View solution in original post

Jouni Forss · ‎10-31-2013

Hi,

So if I understood you correctly then you have

FW1 with an "object-group" configured that contains inside it another "object-group"
FW2 with an "object-group" with 3 "network-object" statements which you want to remove and replace with a similiar "object-group" as in FW1

If this is true then I guess this is a similiar thing that you asked before.

You would have to have this already on FW2 or configure this on the FW2

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

You would then add this "object-group" under the other "object-group"

object-group network subnet1

group-object test

And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines

no network-object 10.0.0.0 255.0.0.0

no network-object 192.168.0.0 255.255.0.0

no network-object 172.16.0.0 255.240.0.0

With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.

Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.

I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.

- Jouni

mahesh18 · ‎10-31-2013

Hi Jouni,

Yes you understood correctly.

Its always good to get advice from you.

Best regards

MAhesh