Understanding network object-group

gnaveen · ‎12-31-2010

Per my understanding you define a network object group and then you can issue a single command using the group name to apply to every item in the group.

object-group network NETWORK
network-object 10.40.0.0 255.254.0.0
network-object 10.41.0.0 255.254.0.0
network-object 10.42.0.0 255.254.0.0

We can support 393210 Hosts (total) with the above configuration.

What I am not sure is:

- If 10.40, .41 and .42 available at the same time?

- Can 1 host get 10.40.10.1 and the other host get 10.41.10.1 address?

- Or, all the hosts (roughly 131070) are first given address from 10.40.xx.xx space and additional hosts will be given 10.41.xx.xx etc.

I am new to configuring ASAs. We have 2 ASAs configured in Active/Active failover scenario.

-NG

Kureli Sankar · ‎12-31-2010

Where are you using this object-group in your configuration?

When configuring ACL, when configuration NAT, when configuring MPF?

If you have an access-list like this

access-list inside-acl permit tcp object-group Network any eq 80

This will allow every single host in that object-group (all three networks) to go any where destined to port 80.

You can see nice example here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

-KS

gnaveen · ‎12-31-2010

!
object-group network A_inside
network-object 10.38.1.0 255.255.255.0
object-group network NETWORK
network-object 10.40.0.0 255.254.0.0
network-object 10.41.0.0 255.254.0.0
network-object 10.42.0.0 255.254.0.0
!
access-list VPN extended permit ip object-group A_inside object-group NETWORK
access-list VPN extended permit ip host 172.25.40.xxx object-group NETWORK
!

praprama · ‎01-01-2011

Hi,

I assume the above ACL "VPN" is used as a crypto ACL for a VPN tunnel. In this case, all hosts in the 10.38.1.0/24 network and the host 172.25.40.xxx will be able to reach all the hosts in the 3 networks in object-group NETWORK.

Hope that answers your question.

Cheers,

Prapanch