Editing hosts into an already configured object-group on ASA5520

Unanswered Question
Dec 24th, 2009

I am configuring site-to-site ipsec vpn tunnels and I use object-groups with ACLs.  How do you add host IPs to an already created object-group without having to tear down the object-group?

I tried adding hosts in ASDM into an already defined object-group and ASDM complained at me and gave me an error.  However, after the error it looked like it took it anyway.

Thanks,

glh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Greg,

You should be able to modified an existing object-group without problems providing that you are putting in the appropriate parameters.  Try ssh'ing into the ASA devices.

Find that object-group that you want to modify, I will show an object-group HQ_LAN for example only.

asa5520# sh run | be object-group

asa5520# conf t

asa5520(config)# object-group nework HQ_LAN

asa5520(config-network)# network-object 192.168.200.10 255.255.255.255  => Single host

asa5520(config-network)# network-object 192.168.200.0 255.255.255.0        => Class C network 192.168.200.x

asa5520(config-network)# exit

asa5520(config-network)# wr mem

Hope this answers your question.  If you are looking at the ASDM, the concepts should be exactly the same just ensure that you are modifing the appropriate object-group and using the correct syntax.

GREG HARPER Mon, 12/28/2009 - 07:52

Thanks for the quick reply.  So, I won't have to remove the specific acces

s-list associated with this object-group first?

I can just go ahead and edit it like you have shown?

G -

Greg,

You should be able to add the new Host to the object-group. If you are trying to be more specific with the object-group than yes you should remove the other full subnet object from the object-group, however be aware that when you are changing the object-group those changes will affect all rules "ACL" "NAT" "Xlates" as well if they are using the same object-group with those statements.

Object-groups can be a great tool, or a nightmare.  Ensure that your naming conventions clearly give reason for the object-groups to alleviate problems.

Thanks,

Joe

Actions

This Discussion