with IOS 12.4(20)T, I am able to create network or service objects-groups.
I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.
I didn't found any way to say 'all but my inside networks'.
Then ,I created an object-group containing all public network ranges between private rfc1918 classes:
range 0.0.0.1 188.8.131.52
range 184.108.40.206 220.127.116.11
range 18.104.22.168 22.214.171.124
range 126.96.36.199 188.8.131.52
range 184.108.40.206 220.127.116.11
IOS has nothing to negate a host or a subnet or a network range
I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized
may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.