IOS FW object-group network

Unanswered Question
Jan 19th, 2009
User Badges:

with IOS 12.4(20)T, I am able to create network or service objects-groups.

I would like to create an external network object-group meaning that it will include all outside networks and exclude all my inside private networks.

I didn't found any way to say 'all but my inside networks'.

Then ,I created an object-group containing all public network ranges between private rfc1918 classes:






IOS has nothing to negate a host or a subnet or a network range

I can use an ace deny object-group <internal networks> to exclude internal networks before a permit any any but it will make configuration bigger,less readable and confusing when there are a lot of aces to be organized

may be it is new feature suggestion to exclude some networks in object-groups rather than always include them.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
falain Tue, 03/03/2009 - 08:26
User Badges:

I answer to myself since nobody replies.

Is IOS FW banned from security forum ?

May be it is an ASA internal killer product !

I found in release note (supposedly), that object-group range has an implicit /24 netmask.

So impossible to go beyond C class boundaries.

Then, I replaced it with many subnets using my favourite CIDR calculator.

Alex Yeung Thu, 03/05/2009 - 10:33
User Badges:
  • Cisco Employee,


Of course IOS FW is NOT banned from security forum. In fact, we have an "Ask The Experts" section going on just for IOS Firewall:

To answer your question, service Object Group has the "neg" knob to negate objects. For network Object Group, you can use the "deny object-group-name" in ACL, just like you described.


Alex Yeung

falain Fri, 03/06/2009 - 10:15
User Badges:


thanks for answering.

I suppose you mean 'neq' in service object group (ie tcp neq www).

but I think IOS lacks this negative syntax in network object groups to say 'not this subnet' or 'not this host'

Then to define network object group External, I have to list all but my private subnets (rfc1918 A, B & C classes)

I would have been easier and lighter to negate my private subnets.

I don't want to make deny then permit ACEs because they are generated automatically and the ace's ordering can't be garanteed.

So object-groups must be self-explaining.

Alex Yeung Fri, 03/06/2009 - 17:27
User Badges:
  • Cisco Employee,

Thanks for your feedback. I will take it to our engineering team.


Alex Yeung


This Discussion