04-14-2010 12:53 AM - edited 03-11-2019 10:32 AM
If we run show object-group command, it will list down all the object-group on the firewall.
Pix(config)# show object-group
object-group network dmz_servers
description: The DMZ shared servers
network-object host 192.168.2.3
network-object host 192.168.2.4
network-object host 192.168.2.5
object-group network Partners
description: The dealer and supplier partners
network-object host 172.16.21.119
network-object 192.168.7.0 255.255.255.0
network-object 192.168.12.0 255.255.253.0
Is there any specific command how to show only specific object-group?
As example, if I only want to get what is inside dmz_servers only, which command should I use?
I’ve tried
show object-group dmz_servers
&
Show object-group network dmz_servers
But didn’t work. Please advice. Thanks
Solved! Go to Solution.
10-17-2010 06:10 AM
You need to issue either
sh run object-group service
or
sh run object-group id Port_ABC -------> watch the "id" keyword
-KS
04-14-2010 02:31 AM
Unfortunately you won't be able to show just that particular object.
The closest you can do is to list that particular object on top of your show output as follows:
sh run object-group network | b Partners
Hope that helps.
06-25-2015 11:23 AM
i wonder why this feature is not added,as it is becoming a nightmare to find exact NAT statement for a particular IP's esp.when you have thousands of object statements. CLI is becoming unmanageable
04-14-2010 04:03 PM
You can do it using
show object-group network id dmz_servers
I hope it helps.
PK
04-14-2010 07:09 PM
thanks halijenn & pkampana for your reply.. forgot that ASA & PIX differ a little bit in their command.
Btw, this is the correct command to view specific group in both ASA & PIX
# ASA
sh run object-group id dmz_servers
# PIX
show object-group id dmz_servers
10-17-2010 02:59 AM
Hi all,
The command above can be used to verify object-group in ASA. But it won’t work against the object-group for service as below. Any advise in this matter would be highly appreciated.
The command below failed.
ASA5510# sh run object-group service Port_ABC
^
ERROR: % Invalid input detected at '^' marker.
This object-group actually exist on the firewall
object-group service Port_ABC tcp
port-object eq 2000
port-object eq 2111
port-object eq 2222
ASA5510# sh run object-group ?
icmp-type Show 'icmp-type' type of object group(s)
id Show specific object group
network Show 'network' type of object group(s)
protocol Show 'protocol' type of object group(s)
service Show 'service' type of object group(s)
| Output modifiers
ASA5510# sh run object-group service ?| Output modifiers
10-17-2010 06:10 AM
You need to issue either
sh run object-group service
or
sh run object-group id Port_ABC -------> watch the "id" keyword
-KS
10-17-2010 06:16 AM
Thanks again Kusankar for your help. How come I can miss "id" there . No wonder it never works.
05-12-2020 10:41 AM
Thanks
11-13-2013 07:10 PM
Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)
My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group.
Thanks ahead,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide