Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1855
Views
0
Helpful
7
Replies

Deleting object id

Go to solution
mahesh18
Level 6
Level 6

‎11-04-2013 02:56 PM - edited ‎03-11-2019 08:00 PM

Hi Everyone,

When i run the command    

sh run object-group id Test

network-object object 10.0.0.0

sh run object id 10.0.0.0

object network 10.0.0.0

subnet 10.0.0.0 255.0.0.0

Here i need to delete the object id 10.0.0 is there any way i can deleted this via some command

no object network 10.0.0.0?

or can i deleted like step below

config t

object-group network Test

no network-object object 10.0.0.0

Will the command above work ?

Regards

Mahesh

Message was edited by: mahesh parmar

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎11-05-2013 12:04 AM

Hi,

If you have the "object-group network Test"

object-group network Test

network-object object 10.0.0.0

and you want to replace the "object" inside it with a "network-object" statement that specifies the same network then you would do

object-group network Test

network-object 10.0.0.0 255.0.0.0

no network-object object 10.0.0.0

With the last thing you ask I simply meant to ask if you ONLY wanted to remove the "object 10.0.0.0" from under the "object-group network Test" OR did you additionally want to also remove the "object network 10.0.0.0" completely from the ASA?

The main things you should do when doing any such changes is to first check where these "object-group" and "object" configurations are used. In general if you have these used in interface ACLs then these type of changes should be safe. If they "object" or "object-group" were used in some NAT configurations then I couldnt say with 100% certainty how such changes would affect on the NAT operation (even if it was just temporary effect during the change)

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎11-12-2013 09:04 AM

Hi Mahesh,

With the above commands you mentioned you only removed the "object" called "10.0.0.0" from under the "object-group" called "Test".

If you wished to remove the whole "object network 10.0.0.0" then you would have to issue the command

no object network 10.0.0.0

But it must not be used anywhere for you to be able to remove it. Though the ASA should notify you if you have it configured in some ACL or other configuration when you are attempting to remove the actual "object".

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-04-2013 03:04 PM

Hi Mahesh,

So I guess you mean you have this configuration

object network 10.0.0.0

subnet 10.0.0.0 255.0.0.0

object-group network Test

network-object object 10.0.0.0

What is unclear to me is that do you want to remove the "object" from under the "object-group" ONLY or do you want to do what and ALSO remove the whole "object"?

If you want to remove the whole "object network 10.0.0.0" then you will have to do

object-group network Test

no network-object object 10.0.0.0

no object network 10.0.0.0

Do notice that IF this "object" is used in some configuration like ACL or NAT then the ASA wont let you remove it. So you should first check where this "object" is used to determine if its needed and then remove it if its useless.

But the above mentioned commands should be the one to achieve what you want which is remove the "object" from the "object-group" and then remove the whole "object".

The reason we remove the "object" from under the "object-group" first is because otherwise (to my understanding atleast) the ASA wont allow you to remove the "object" since its in use by other configuration.

Hope this made sense and helped

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎11-04-2013 05:03 PM

Hi Jouni,

Here is my plan what i need to do without causing outage

sh run object-group id Test

network-object object 10.0.0.0 ---------------------1

i need to replace line 1 via below command

network-object 10.0.0. 255.0.0.0

so i do not know if i can simply remove network-object object 10.0.0.0 by using

no network-object object 10.0.0.0 or not?

when you say

What is unclear to me is that do you want to remove the "object" from under the "object-group"

ONLY or do you want to do what and ALSO remove the whole "object" ?

Can you please explain about this?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎11-05-2013 12:04 AM

Hi,

If you have the "object-group network Test"

object-group network Test

network-object object 10.0.0.0

and you want to replace the "object" inside it with a "network-object" statement that specifies the same network then you would do

object-group network Test

network-object 10.0.0.0 255.0.0.0

no network-object object 10.0.0.0

With the last thing you ask I simply meant to ask if you ONLY wanted to remove the "object 10.0.0.0" from under the "object-group network Test" OR did you additionally want to also remove the "object network 10.0.0.0" completely from the ASA?

The main things you should do when doing any such changes is to first check where these "object-group" and "object" configurations are used. In general if you have these used in interface ACLs then these type of changes should be safe. If they "object" or "object-group" were used in some NAT configurations then I couldnt say with 100% certainty how such changes would affect on the NAT operation (even if it was just temporary effect during the change)

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎11-05-2013 08:57 AM

Hi Jouni,

I will test this  on monday then will let you know how it goes.

Regards

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎11-12-2013 09:00 AM


Hi Jouni,

I did below change yesterday

object-group network Test

network-object 10.0.0.0 255.0.0.0

no network-object object 10.0.0.0

After the above change there was no issues.

However i did not delete the object id 10.0.0.0??

Regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎11-12-2013 09:04 AM

Hi Mahesh,

With the above commands you mentioned you only removed the "object" called "10.0.0.0" from under the "object-group" called "Test".

If you wished to remove the whole "object network 10.0.0.0" then you would have to issue the command

no object network 10.0.0.0

But it must not be used anywhere for you to be able to remove it. Though the ASA should notify you if you have it configured in some ACL or other configuration when you are attempting to remove the actual "object".

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎11-12-2013 10:01 AM

Hi Jouni,

Thanks for additional info.

For now i am ok with current config.

In future if i need to delete whole  object network 10.0.0.0 i will do as you said.

Best regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card