Solved: Question - ASA object-group

ningyixiao · ‎10-03-2017

Hi Guys,

I saw below configuration on Cisco ASA 9.1(7)16. The network object group is calling a service object group, is this a valid configuration?

====================================

object-group service HTTPS_433 tcp
port-object eq 433

object-group network WEB
network-object host WWW_A
network-object host WWW_B
group-object HTTPS_433

====================================

Marvin Rhoads · ‎10-05-2017

That would not be a valid configuration stanza. Network object groups can contain multiple network objects as well as inline networks. For services, you would need to use a service group.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_objects.html#86292

View solution in original post

Marvin Rhoads · ‎10-05-2017

That would not be a valid configuration stanza. Network object groups can contain multiple network objects as well as inline networks. For services, you would need to use a service group.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_objects.html#86292

ningyixiao · ‎10-05-2017

That's my understanding as well. But very surprised ASA allows the configuration.

Marvin Rhoads · ‎10-05-2017

It appears they have fixed that bug in a subsequent release:

asav(config)# object-group service HTTPS_433 tcp
asav(config-service-object-group)# port-object eq 433
asav(config-service-object-group)#
asav(config-service-object-group)#
asav(config-service-object-group)#
asav(config-service-object-group)# object-group network WEB
asav(config-network-object-group)# network-object host WWW_A
asav(config-network-object-group)# network-object host WWW_B
asav(config-network-object-group)# group-object HTTPS_433
Adding obj to object-group (WEB) failed; obj and group type inconsistent
asav(config-network-object-group)# end
asav#
asav#
asav# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(1)7