Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
2
Replies

Understanding of group-object within object-group

Go to solution
mahesh18
Level 6
Level 6

‎06-28-2013 01:33 PM - edited ‎03-11-2019 07:04 PM

Hi Everyone,

I know about object-group network and we define network object host under them.

But config below shows

when i run command sh run object-group id X_servers it shows

sh run object-group id X_Servers

object-group network X_Servers

network-object host 192.168.50.8

group-object X_DC

network-object host 192.168.50.10

network-object host 192.168.50.18

network-object host 192.168.50.9

network-object host 192.168.50.66

network-object host 192.168.50.19

network-object host 192.168.50.78

network-object host xyz

network-object host 192.168.50.77

group-object X_ES

network-object host 192.168.50.14


network-object host 192.168.50.55

network-object host 192.168.50.152

Need to understand what are group-objects here and why we use them?

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-28-2013 01:51 PM

Hi Mahesh,

The "group-object" essentially defines an "object-group" inside another "object-group"

Take this example from my own firewall that I just did

object-group network TEST-1

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

object-group network TEST-2

network-object host 1.1.1.4

network-object host 1.1.1.5

network-object host 1.1.1.6

object-group network TEST-COMBINED

group-object TEST-1

group-object TEST-2

access-list TEST extended permit ip any object-group TEST-COMBINED

Then we can have a look at the actual "access-list" in opened form

show access-list TEST

access-list TEST line 2 extended permit ip any object-group TEST-COMBINED 0x26d4a4c0

  access-list TEST line 2 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x6e3aac07

  access-list TEST line 2 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xfbaa7dde

  access-list TEST line 2 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x110123ec

  access-list TEST line 2 extended permit ip any host 1.1.1.4 (hitcnt=0) 0x3c83a140

  access-list TEST line 2 extended permit ip any host 1.1.1.5 (hitcnt=0) 0x7f20bf16

  access-list TEST line 2 extended permit ip any host 1.1.1.6 (hitcnt=0) 0x65046d97

So as you can see, we have configured 2 "object-group network" named "TEST-1" and "TEST-2". Then we have configured an "object-group" called "TEST-COMBINED" and added the abovementioned 2 "object-group" under it by using the command "group-object".

Then we use that single "object-group" in an ACL.

Why would we use them? Well personally I wouldnt and I dont

But I would have to imagine that if you had several groups of hosts/networks/servers that you had grouped together in their own separate "object-group" and then would want to also include all those hosts/networks/servers in some "access-list" you could then first group them inside another "object-group" and use this created "object-group" to configure the ACL rule rather than use multiple lines of ACLs with all the different "object-group"

But as I said, I have never really used this. When configuring the ASA on the CLI side this would make my life a lot harder. I would imagine that some people using the ASDM might use this more but I dont see any added benefit in it for me personally.

In your above case you could use the commands

show run object-group id X_DC

show run object-group id X_ES

To view the contents of those "object-group"

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-28-2013 01:51 PM

Hi Mahesh,

The "group-object" essentially defines an "object-group" inside another "object-group"

Take this example from my own firewall that I just did

object-group network TEST-1

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

object-group network TEST-2

network-object host 1.1.1.4

network-object host 1.1.1.5

network-object host 1.1.1.6

object-group network TEST-COMBINED

group-object TEST-1

group-object TEST-2

access-list TEST extended permit ip any object-group TEST-COMBINED

Then we can have a look at the actual "access-list" in opened form

show access-list TEST

access-list TEST line 2 extended permit ip any object-group TEST-COMBINED 0x26d4a4c0

  access-list TEST line 2 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x6e3aac07

  access-list TEST line 2 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xfbaa7dde

  access-list TEST line 2 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x110123ec

  access-list TEST line 2 extended permit ip any host 1.1.1.4 (hitcnt=0) 0x3c83a140

  access-list TEST line 2 extended permit ip any host 1.1.1.5 (hitcnt=0) 0x7f20bf16

  access-list TEST line 2 extended permit ip any host 1.1.1.6 (hitcnt=0) 0x65046d97

So as you can see, we have configured 2 "object-group network" named "TEST-1" and "TEST-2". Then we have configured an "object-group" called "TEST-COMBINED" and added the abovementioned 2 "object-group" under it by using the command "group-object".

Then we use that single "object-group" in an ACL.

Why would we use them? Well personally I wouldnt and I dont

But I would have to imagine that if you had several groups of hosts/networks/servers that you had grouped together in their own separate "object-group" and then would want to also include all those hosts/networks/servers in some "access-list" you could then first group them inside another "object-group" and use this created "object-group" to configure the ACL rule rather than use multiple lines of ACLs with all the different "object-group"

But as I said, I have never really used this. When configuring the ASA on the CLI side this would make my life a lot harder. I would imagine that some people using the ASDM might use this more but I dont see any added benefit in it for me personally.

In your above case you could use the commands

show run object-group id X_DC

show run object-group id X_ES

To view the contents of those "object-group"

Hope this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎06-29-2013 08:42 AM

Hi jouni,

Many thanks it helped a lot.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card