Hi.

I am not sure if I missed something but to my understanding there is no option to define a range of IP addresses under the "object-group network".

In the newer softwares you can define an "object network" inside which you can enter a range of IP addresses. This is totally different than the "object-group network". The "object network" became available in the software 8.3(1)

Though it seems you can still enter the mentioned configuration under the "object-group network" in the new software but it wouldnt really make sense.

- Jouni

Hello John,

When you say range of IP addresses do you mean you used the keyword range or you just did it as you showed on the first post as that is incorrect?

Regards

Hello,

Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:

192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.

With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".

To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.

Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:

access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8

  access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4

access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd

Packet trace results in allowing the "range" of IP address:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmztest

output-status: up

output-line-status: up

Action: allow

Now with the "correct" configuration:

access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8

  access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd

access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmztest

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you.

-John

Hi,

I dont know if its a bug or if it was intentionally allowed. Either way, using such configuration under and "object-group" wouldnt make sense

The Command Reference states that its expecting a network address as the first parameter and the network mask as the second parameter

ASA(config-network-object-group)# network-object ?

network-object-group mode commands/options:

  Hostname or A.B.C.D  Enter an IPv4 network address

ASA(config-network-object-group)# network-object 192.168.0.0 ?

network-object-group mode commands/options:

  A.B.C.D  Enter an IPv4 network mask

Heres a link to the command "network-object" for ASA software 8.0

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1749092

- Jouni