Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
7
Replies

How do I add many subnets to asa?

Rick Morgan
Level 1
Level 1

‎05-09-2011 06:36 AM - edited ‎03-11-2019 01:30 PM

My ASA

Cisco Adaptive Security Appliance Software Version 8.0(5)

Device Manager Version 6.2(5)53

Does anyone know how to add many IP subnets to an asa?

As an example lets say I want to create a group "country block list", and I have a block of subnets;

2.60.0.0/14

2.92.0.0/14

31.3.16.0/21

31.7.224.0/20

31.8.0.0/16

31.10.0.0/21

31.10.8.0/21

How do I add them as one group? Can this be done?

Thanks,

Rick

Labels:
0 Helpful
7 Replies 7

Dan-Ciprian Cicioiu
Level 7
Level 7

‎05-09-2011 06:42 AM

You can try using object-groups :

object-group network country

network-object 2.60.0.0 255.252.0.0

network-object 2.92.0.0 255.252.0.0

.....
and so on

I hope i understood well your question

Dan

0 Helpful

varrao
Level 10
Level 10

‎05-09-2011 06:43 AM

Rick,


On the ASA you can create object-group and under a single object-group include all the different subnets, so a single object-group would represent the the complete subnets that you have. Just for your reference, have a look at the command reference:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/no.html#wp1750094



Sample config:

hostname(config)# object-group network sjc_ftp_servers

hostname(config-network)# network-object host sjc.ftp.servers 

hostname(config-network)# network-object host 172.23.56.195 

hostname(config-network)# network-object 193.1.1.0 255.255.255.224 

hostname(config-network)# group-object sjc_eng_ftp_servers 

hostname(config-network)# exit


Hope this helps.

Thanks,
Varun

Thanks,
Varun Rao
0 Helpful

Rick Morgan
Level 1
Level 1

‎05-09-2011 07:52 AM

Ok I created a network group called blocked list. How do I add an ACL to this group to block all incomming WAN traffic to this group.

Thanks,

Rick

0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Rick Morgan

‎05-09-2011 08:38 AM

I dont think that the name of your object group could be "blocked list" - with space in the name.

To make use of the object-group in the access-list you must use "object-group blocked" ( if the name of the object-group is blocked) instead of using network and netmask pairs.

Dan

0 Helpful

varrao
Level 10
Level 10
In response to Dan-Ciprian Cicioiu

‎05-09-2011 10:01 AM

Here is a sample configuration that might ease out things for you:

access-list 104 permit ip host object-group A object-group B 

where A & B are the names of your object-group

Hope this helps.

Thanks,
Varun

Thanks,
Varun Rao
0 Helpful

Dan-Ciprian Cicioiu
Level 7
Level 7
In response to varrao

‎05-09-2011 10:18 AM 

varrao wrote:
access-list 104 permit ip host object-group A object-group B 

Thanks,
Varun

Hello Varun ,

I think that your command will not work.

Dan

0 Helpful

varrao
Level 10
Level 10
In response to Dan-Ciprian Cicioiu

‎05-09-2011 10:33 AM

ooopss.. sory for the typo

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card