Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10637
Views
0
Helpful
4
Replies

Editing hosts into an already configured object-group on ASA5520

GREG HARPER
Level 1
Level 1

‎12-24-2009 07:38 AM

I am configuring site-to-site ipsec vpn tunnels and I use object-groups with ACLs.  How do you add host IPs to an already created object-group without having to tear down the object-group?

I tried adding hosts in ASDM into an already defined object-group and ASDM complained at me and gave me an error.  However, after the error it looked like it took it anyway.

Thanks,

glh

Labels:
0 Helpful
4 Replies 4

jsanchez
Level 1
Level 1

‎12-24-2009 08:42 AM

Greg,

You should be able to modified an existing object-group without problems providing that you are putting in the appropriate parameters.  Try ssh'ing into the ASA devices.

Find that object-group that you want to modify, I will show an object-group HQ_LAN for example only.

asa5520# sh run | be object-group

asa5520# conf t

asa5520(config)# object-group nework HQ_LAN

asa5520(config-network)# network-object 192.168.200.10 255.255.255.255  => Single host

asa5520(config-network)# network-object 192.168.200.0 255.255.255.0        => Class C network 192.168.200.x

asa5520(config-network)# exit

asa5520(config-network)# wr mem

Hope this answers your question.  If you are looking at the ASDM, the concepts should be exactly the same just ensure that you are modifing the appropriate object-group and using the correct syntax.

0 Helpful

GREG HARPER
Level 1
Level 1
In response to jsanchez

‎12-28-2009 07:52 AM

Thanks for the quick reply.  So, I won't have to remove the specific acces

s-list associated with this object-group first?

I can just go ahead and edit it like you have shown?

G -

0 Helpful

jsanchez
Level 1
Level 1
In response to GREG HARPER

‎12-28-2009 08:03 AM

Greg,

You should be able to add the new Host to the object-group. If you are trying to be more specific with the object-group than yes you should remove the other full subnet object from the object-group, however be aware that when you are changing the object-group those changes will affect all rules "ACL" "NAT" "Xlates" as well if they are using the same object-group with those statements.

Object-groups can be a great tool, or a nightmare.  Ensure that your naming conventions clearly give reason for the object-groups to alleviate problems.

Thanks,

Joe

0 Helpful

GREG HARPER
Level 1
Level 1
In response to jsanchez

‎12-28-2009 09:40 AM

Great, thank you.

g -

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents