Create Network object in ASA

acbenny · ‎04-06-2008

Hi all,

The method to create network object make me quite confuse that if I create network object by ASDM, it is success. But if I use CLI in create network object, it seems fail. Attach is the screen dump for your reference. Any one has idea ? Thank you !

acbenny · ‎04-06-2008

Attachment

chickman · ‎04-07-2008

acbenny,

Object groups are extremely easy. You just have to have and idea of how you want your ACLs to look. Object groups are just cosmetic when it comes down to it.

Just for the sake of putting it out there, you can create a few different types of object groups. They are: ICMP-Type, Network, Protocol, and Service. You can also do what is called nesting, but only with similar object group types.

You'll first start by creating one. Below is an example:

** This is if you have any systems pre-configured to names

(config)#names

(config)#name 10.1.1.10 myFTPserver

(config)#object-group network ftp_servers

(config-network)#network-object host 10.1.1.14

(config-network)#network-object host myFTPserver

(config-network)#network-object 10.1.1.32 255.255.255.224

(config-network)#exit

Once you've created your object group, you will need to use it within your ACL. It will look something like this:

(config)#access-list 101 permit ip any object-group ftp_servers

if you only want a specific protocol, say these are associated to FTP, then you should specify it.

(config)#access-list 101 permit tcp any object-group ftp_servers eq ftp

I hope this assists.

As an FYI, I'm just taking this straight from the cisco documentation: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml