Editing hosts into an already configured object-group on ASA5520

Dec 24th, 2009

I am configuring site-to-site ipsec vpn tunnels and I use object-groups with ACLs.  How do you add host IPs to an already created object-group without having to tear down the object-group?

I tried adding hosts in ASDM into an already defined object-group and ASDM complained at me and gave me an error.  However, after the error it looked like it took it anyway.



You should be able to modified an existing object-group without problems providing that you are putting in the appropriate parameters.  Try ssh'ing into the ASA devices.

Find that object-group that you want to modify, I will show an object-group HQ_LAN for example only.

asa5520# sh run | be object-group

asa5520# conf t

asa5520(config)# object-group nework HQ_LAN

asa5520(config-network)# network-object  => Single host

asa5520(config-network)# network-object        => Class C network 192.168.200.x

asa5520(config-network)# exit

asa5520(config-network)# wr mem

Hope this answers your question.  If you are looking at the ASDM, the concepts should be exactly the same just ensure that you are modifing the appropriate object-group and using the correct syntax.

GREG HARPER Mon, 12/28/2009 - 07:52

Thanks for the quick reply.  So, I won't have to remove the specific acces

s-list associated with this object-group first?

I can just go ahead and edit it like you have shown?

G -


You should be able to add the new Host to the object-group. If you are trying to be more specific with the object-group than yes you should remove the other full subnet object from the object-group, however be aware that when you are changing the object-group those changes will affect all rules "ACL" "NAT" "Xlates" as well if they are using the same object-group with those statements.

Object-groups can be a great tool, or a nightmare.  Ensure that your naming conventions clearly give reason for the object-groups to alleviate problems.




