12-24-2009 07:38 AM
I am configuring site-to-site ipsec vpn tunnels and I use object-groups with ACLs. How do you add host IPs to an already created object-group without having to tear down the object-group?
I tried adding hosts in ASDM into an already defined object-group and ASDM complained at me and gave me an error. However, after the error it looked like it took it anyway.
Thanks,
glh
12-24-2009 08:42 AM
Greg,
You should be able to modified an existing object-group without problems providing that you are putting in the appropriate parameters. Try ssh'ing into the ASA devices.
Find that object-group that you want to modify, I will show an object-group HQ_LAN for example only.
asa5520# sh run | be object-group
asa5520# conf t
asa5520(config)# object-group nework HQ_LAN
asa5520(config-network)# network-object 192.168.200.10 255.255.255.255 => Single host
asa5520(config-network)# network-object 192.168.200.0 255.255.255.0 => Class C network 192.168.200.x
asa5520(config-network)# exit
asa5520(config-network)# wr mem
Hope this answers your question. If you are looking at the ASDM, the concepts should be exactly the same just ensure that you are modifing the appropriate object-group and using the correct syntax.
12-28-2009 07:52 AM
Thanks for the quick reply. So, I won't have to remove the specific acces
s-list associated with this object-group first?
I can just go ahead and edit it like you have shown?
G -
12-28-2009 08:03 AM
Greg,
You should be able to add the new Host to the object-group. If you are trying to be more specific with the object-group than yes you should remove the other full subnet object from the object-group, however be aware that when you are changing the object-group those changes will affect all rules "ACL" "NAT" "Xlates" as well if they are using the same object-group with those statements.
Object-groups can be a great tool, or a nightmare. Ensure that your naming conventions clearly give reason for the object-groups to alleviate problems.
Thanks,
Joe
12-28-2009 09:40 AM
Great, thank you.
g -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide