03-01-2007 01:14 PM - edited 03-11-2019 02:40 AM
Alright...powering through ASA 101. I just want to confirm THIS will work.
I need to create a object-group with some IP's so I can make my ACL list more readable.
Here it is:
conf t
object-group network VENDOR
descriptiong Vendor IP Address range
network object host 192.16.5.1
network object host 192.16.5.2
and so forth. I have 7 IP addresses to add.
At the end, when I put all the IP address in,
write terminal?
Thanks.
Solved! Go to Solution.
03-01-2007 05:20 PM
the "host" keyword tells it that you are defining a specific host rather than a subnet.
So you could essentially configure it as:
network-object 104.50.255.5 255.255.255.255
or the shorter/better way:
network-object host 104.50.255.5
HTH,
Joe Martin
03-01-2007 01:28 PM
Hi
Yes it looks fine. You can use it as such
access-list acl_in permit tcp object-group VENDOR host 172.16.5.1 eq 23
HTH
Jon
03-01-2007 01:52 PM
Thanks Jon.
Just wanted to be sure, so i didn't blow something up on the ASA. :)
This may sound silly, but once I make the changes, to they automatically get written to RAM?
Would I need to do a "write" to get into NVRAM?
Lastly, even though I am creating this object now, it is not going to be applied just yet. Is that ok? Will it not go into effect until I put it into a ACL?
Thanks.
03-01-2007 03:28 PM
two quick things...
yes, you need to write mem to save the object-group into the config and...
no, it will not affect the ACL...assuming that you have actuallt created a new, unused object-group... i only say that because I have seen people think they were creating a new object group bu they were actually changing an existing object group...
Just check a head of time that the object group name that you want to use is not already being used...
03-01-2007 03:35 PM
Got it.
'write mem' best way to save?
For the object-group, I made sure the name was not being used previously. All set and GTG there.
Thanks!
03-01-2007 04:18 PM
One other thing I forgot to mention.
When looking at the config, after I entered the objects, I am wondering if I forgot to put the netmask.
I see:
network-object host 104.50.25.5
Should it be:
network-object host 104.50.25.5 255.255.255.255
to match that IP explicitly?
I would think so.
What is the best way to correct this? Thanks.
Jas
03-01-2007 05:20 PM
the "host" keyword tells it that you are defining a specific host rather than a subnet.
So you could essentially configure it as:
network-object 104.50.255.5 255.255.255.255
or the shorter/better way:
network-object host 104.50.255.5
HTH,
Joe Martin
03-01-2007 05:24 PM
Got it.
That makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide