06-28-2013 01:33 PM - edited 03-11-2019 07:04 PM
Hi Everyone,
I know about object-group network and we define network object host under them.
But config below shows
when i run command sh run object-group id X_servers it shows
sh run object-group id X_Servers
object-group network X_Servers
network-object host 192.168.50.8
group-object X_DC
network-object host 192.168.50.10
network-object host 192.168.50.18
network-object host 192.168.50.9
network-object host 192.168.50.66
network-object host 192.168.50.19
network-object host 192.168.50.78
network-object host xyz
network-object host 192.168.50.77
group-object X_ES
network-object host 192.168.50.14
network-object host 192.168.50.55
network-object host 192.168.50.152
Need to understand what are group-objects here and why we use them?
Regards
Mahesh
Solved! Go to Solution.
06-28-2013 01:51 PM
Hi Mahesh,
The "group-object" essentially defines an "object-group" inside another "object-group"
Take this example from my own firewall that I just did
object-group network TEST-1
network-object host 1.1.1.1
network-object host 1.1.1.2
network-object host 1.1.1.3
object-group network TEST-2
network-object host 1.1.1.4
network-object host 1.1.1.5
network-object host 1.1.1.6
object-group network TEST-COMBINED
group-object TEST-1
group-object TEST-2
access-list TEST extended permit ip any object-group TEST-COMBINED
Then we can have a look at the actual "access-list" in opened form
show access-list TEST
access-list TEST line 2 extended permit ip any object-group TEST-COMBINED 0x26d4a4c0
access-list TEST line 2 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x6e3aac07
access-list TEST line 2 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xfbaa7dde
access-list TEST line 2 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x110123ec
access-list TEST line 2 extended permit ip any host 1.1.1.4 (hitcnt=0) 0x3c83a140
access-list TEST line 2 extended permit ip any host 1.1.1.5 (hitcnt=0) 0x7f20bf16
access-list TEST line 2 extended permit ip any host 1.1.1.6 (hitcnt=0) 0x65046d97
So as you can see, we have configured 2 "object-group network" named "TEST-1" and "TEST-2". Then we have configured an "object-group" called "TEST-COMBINED" and added the abovementioned 2 "object-group" under it by using the command "group-object".
Then we use that single "object-group" in an ACL.
Why would we use them? Well personally I wouldnt and I dont
But I would have to imagine that if you had several groups of hosts/networks/servers that you had grouped together in their own separate "object-group" and then would want to also include all those hosts/networks/servers in some "access-list" you could then first group them inside another "object-group" and use this created "object-group" to configure the ACL rule rather than use multiple lines of ACLs with all the different "object-group"
But as I said, I have never really used this. When configuring the ASA on the CLI side this would make my life a lot harder. I would imagine that some people using the ASDM might use this more but I dont see any added benefit in it for me personally.
In your above case you could use the commands
show run object-group id X_DC
show run object-group id X_ES
To view the contents of those "object-group"
Hope this helps
- Jouni
06-28-2013 01:51 PM
Hi Mahesh,
The "group-object" essentially defines an "object-group" inside another "object-group"
Take this example from my own firewall that I just did
object-group network TEST-1
network-object host 1.1.1.1
network-object host 1.1.1.2
network-object host 1.1.1.3
object-group network TEST-2
network-object host 1.1.1.4
network-object host 1.1.1.5
network-object host 1.1.1.6
object-group network TEST-COMBINED
group-object TEST-1
group-object TEST-2
access-list TEST extended permit ip any object-group TEST-COMBINED
Then we can have a look at the actual "access-list" in opened form
show access-list TEST
access-list TEST line 2 extended permit ip any object-group TEST-COMBINED 0x26d4a4c0
access-list TEST line 2 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x6e3aac07
access-list TEST line 2 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xfbaa7dde
access-list TEST line 2 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x110123ec
access-list TEST line 2 extended permit ip any host 1.1.1.4 (hitcnt=0) 0x3c83a140
access-list TEST line 2 extended permit ip any host 1.1.1.5 (hitcnt=0) 0x7f20bf16
access-list TEST line 2 extended permit ip any host 1.1.1.6 (hitcnt=0) 0x65046d97
So as you can see, we have configured 2 "object-group network" named "TEST-1" and "TEST-2". Then we have configured an "object-group" called "TEST-COMBINED" and added the abovementioned 2 "object-group" under it by using the command "group-object".
Then we use that single "object-group" in an ACL.
Why would we use them? Well personally I wouldnt and I dont
But I would have to imagine that if you had several groups of hosts/networks/servers that you had grouped together in their own separate "object-group" and then would want to also include all those hosts/networks/servers in some "access-list" you could then first group them inside another "object-group" and use this created "object-group" to configure the ACL rule rather than use multiple lines of ACLs with all the different "object-group"
But as I said, I have never really used this. When configuring the ASA on the CLI side this would make my life a lot harder. I would imagine that some people using the ASDM might use this more but I dont see any added benefit in it for me personally.
In your above case you could use the commands
show run object-group id X_DC
show run object-group id X_ES
To view the contents of those "object-group"
Hope this helps
- Jouni
06-29-2013 08:42 AM
Hi jouni,
Many thanks it helped a lot.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide