Object groups - Best practise and limitations

Unanswered Question
Mar 23rd, 2007


Lets say that I want to permit this in an access-list:








icmp echo (ping)

With object-grouping i should solve it like this:

object-group network my-source



object-group network my-dest



object-group service my-ports-TCP tcp

port-object eq 22

port-object eq 23

object-group service my-ports-UDP udp

port-object eq 53

port-object eq 555

access-list acl permit tcp object-group my-so?rce object-group my-dest object-group my-ports-TCP

access-list acl permit udp object-group my-so?rce object-group my-dest object-group my-ports-UDP

access-list acl permit icmp object-group my-so?rce object-group my-dest echo

My question is: Is there a better way to do it in Pix/ASA v7.x? I think there is a great limitation in the fact that tcp, udp and icmp traffic cannot be grouped into the same service object-group.

If I could place tcp/22, tcp/23, udp/53, udp555 and icmp echo (0/8) into the same object-group the acl should be shortened into one single line. This is possible in other brands of firewalls...

Please comment!

Best regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
suschoud Fri, 03/23/2007 - 07:25

Use the protocol object group in order to specify a protocol(s) that you want to define in an ACL or conduit. You can use this object group as the protocol type only in the associated ACL or conduit. Note that the allowed protocols for this object group are only the standard PIX protocol names allowed in an access-list or conduit command, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Generic Routing Encapsulation (GRE), Enhanced Interior Gateway Routing Protocol (EIGRP), Encapsulating Security Payload (ESP), Authentication Header (AH), and so on. Protocols that sit on top of TCP or UDP cannot be specified with a protocol object group. Instead, these protocols use an object group, as shown in this example.

(config)# object-group protocol proto_grp_1

(config-protocol)# protocol-object udp

(config-protocol)# protocol-object tcp

(config-protocol)# protocol-object esp

(config-protocol)# exit

(config)# access-list 102 permit object-group proto_grp_1 any any


i guess u got it.

jilahbg Fri, 03/23/2007 - 07:52

You mean that there is no easier/better way to do it than what I wrote? I am not interrested in grouping different IP protocols, but grouping different tcp and udp ports in one single group.



suschoud Fri, 03/23/2007 - 07:57

if you group differnet protocols together,you can setup different tcp/udp/icmp ports together too.

the limitation :

protocols: tcp/udp/icmp

ports : 23/24/25

then access-list will open these ports for all the protocols which you define in protocol object group.

yes,there's no better way of doing this.

i suggested a workaround.


cisco tac

yenaungoo Wed, 11/13/2013 - 19:27

Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)

My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group. Any best practise for that?

Thanks ahead,

jumora Wed, 11/13/2013 - 20:00

Q. What is the maximum number of ACLs that can be configured on the ASA?

A. There is no defined limit for the number of ACLs that can be configured on the ASA. It depends on the memory present in the ASA.

The same applies to object-group settings


This Discussion