Editing hosts into an already configured object-group on ASA5520

Unanswered Question
Dec 24th, 2009

I am configuring site-to-site ipsec vpn tunnels and I use object-groups with ACLs.  How do you add host IPs to an already created object-group without having to tear down the object-group?


I tried adding hosts in ASDM into an already defined object-group and ASDM complained at me and gave me an error.  However, after the error it looked like it took it anyway.


Thanks,

glh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Greg,


You should be able to modified an existing object-group without problems providing that you are putting in the appropriate parameters.  Try ssh'ing into the ASA devices.


Find that object-group that you want to modify, I will show an object-group HQ_LAN for example only.


asa5520# sh run | be object-group


asa5520# conf t


asa5520(config)# object-group nework HQ_LAN

asa5520(config-network)# network-object 192.168.200.10 255.255.255.255  => Single host

asa5520(config-network)# network-object 192.168.200.0 255.255.255.0        => Class C network 192.168.200.x

asa5520(config-network)# exit

asa5520(config-network)# wr mem



Hope this answers your question.  If you are looking at the ASDM, the concepts should be exactly the same just ensure that you are modifing the appropriate object-group and using the correct syntax.

GREG HARPER Mon, 12/28/2009 - 07:52

Thanks for the quick reply.  So, I won't have to remove the specific acces

s-list associated with this object-group first?


I can just go ahead and edit it like you have shown?


G -

Greg,


You should be able to add the new Host to the object-group. If you are trying to be more specific with the object-group than yes you should remove the other full subnet object from the object-group, however be aware that when you are changing the object-group those changes will affect all rules "ACL" "NAT" "Xlates" as well if they are using the same object-group with those statements.


Object-groups can be a great tool, or a nightmare.  Ensure that your naming conventions clearly give reason for the object-groups to alleviate problems.


Thanks,

Joe

Actions

This Discussion