Finding what object groups an ip address belongs to ?

Unanswered Question
Mar 10th, 2010
User Badges:

How can i find the object-group or object-groups an ip address belongs to/is part of in an ASA running conf ?


eg. sh run | i ip address or sh run object-group | i <ip add> gives me  the below output

network-object <ip add>

network-object <ip add>

network-object <ip add>


is there a command option that lists the ip address alongwith the object-group names that it belongs to ? as of now i have to look through the output of

"sh run object-group net" manually or save the running config to a text file and use the find function.



Regards,

Shiva

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (6 ratings)
Loading.
Federico Coto F... Wed, 03/10/2010 - 09:42
User Badges:
  • Green, 3000 points or more

Hi,


You can do the command:
sh run | i x.x.x.x


This will show all part of the configuration where the x.x.x.x IP belongs to.
For instance, if x.x.x.x is part of a static command, and ACL, and object-group, etc, it will prompt at the output of that command.

If your using names, you can disable that temporarily with the ''no names'' command.


Let me know if this does not help, because you're mentioning this command already.


Federico.

gginty Wed, 03/10/2010 - 09:45
User Badges:

Can someone please tell me where the link to Netypro is these days??  It used to be an option, but can no longer find it

Federico Coto F... Wed, 03/10/2010 - 09:52
User Badges:
  • Green, 3000 points or more

Ooopsss...


You did not like the answer, I'm sorry.


The best I can find is to do:


sh run | begin x.x.x.x


That will show all parts of the running-config where the IP address belongs along with the object-group names.

Edit- Sorry, this is not what you're looking for, I apologize for the misleading information. I'll try and see if I find an answer for you.


Federico.

Federico Coto F... Wed, 03/10/2010 - 10:25
User Badges:
  • Green, 3000 points or more

Not the answer you were looking for...


But can't find a command that shows you just the name of the object-group and the IP to which it belongs.

Think you're stucked with the ''sh run'' or two show commands (one for the IP and one for the object-group)


Perhaps somebody else can correct me if I'm wrong.


Federico.

Shiva Prasad Wed, 03/10/2010 - 14:35
User Badges:

I think we are stuck with limited command options in the asa, but such a feature is available in cisco router IOS as per info from a friend of mine. It is something like that shown below, i am yet to try that on a router if someone is very curious you can try and let us all know.

sh run object-group | section


Regards,

Shiva

Kureli Sankar Wed, 03/10/2010 - 20:00
User Badges:
  • Cisco Employee,

Shiva,

You are correct. There is no | s command in the ASA.

But, you can issue the following. sh run said that it is in the network object-group so, I issued a sh object-group network


ASA# sh run | i 3.3.3.3         
network-object host 3.3.3.3


ASA# sh run object-group network
object-group network 4080
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3


-KS

Shiva Prasad Thu, 03/11/2010 - 00:47
User Badges:

Hi KS,


i think you missed parts of my initial query, the commands that you used would be perefctly fine if you had only one network object group defined in the configuration and if the ip was part of only that one group, i was looking for a command that would list all the object groups an object is part of.


I think this would be a handy feature to have in future releases of the ASA SW, is someone from the product development listening ?


Regards,

Shiva

markford2 Tue, 05/31/2011 - 09:36
User Badges:

Maybe not for ASAs, but for routers/switches...


sh object-group | inc object|x.x.x.x

UST GLOBAL Thu, 07/07/2011 - 03:58
User Badges:

Hi,


this is not possible through ASA CLI, but is possible through ASDM.

Configuration->Firewall->AccessRules->Addresses(in the right most conrner), screenshot attached for details


SPK

Erik Ingeberg Thu, 07/07/2011 - 06:53
User Badges:

There is an even easier way to do this in ASDM. If you look at the screenshot posted by UST_GLOBAL, and right click on the content of one of the groups, you will be able to select "where used". This will show you a list of all the places this address is used.


UST GLOBAL Thu, 07/07/2011 - 07:36
User Badges:

it was described under the impression that we know only the IP address details and not the object group name. Consider there is a large number of object-groups present if we give the IP address in the filter of the "Addresses" will give all the object-group


SPK

bradley.thornto... Tue, 08/23/2011 - 06:58
User Badges:

Maybe not exactly what you were looking for but this is as close as I was ever able to get w/o ASDM.


no names


sho run object-group network | i object-group|1.2.3.4


you'll get the object-group names and 1.2.3.4 is the IP address.


Brad

Ruslan Moldaliev Thu, 12/22/2016 - 04:52
User Badges:

encountered recently the same task - find object by its IP and I found simple and easy way:

#show running-config object network in-line | i x.x.x.x

and one can see name and IP address in one line

object network HOST-1 host 10.1.y.y
object network HOST-2 host 10.1.y.y
object network HOST-3 host 10.1.y.y

no need to use double grep

golive999 Tue, 05/05/2015 - 04:16
User Badges:

Hi Shiva,

There is no direct way of finding what object group does an IP belong to. However if the IP is specified in the configuration, then

you can do a

 

packet-tracer input inside tcp <source Ip< <port number> <destination ip> <destination port>

This will pull the ACL with the object-group and display.

now execute

sh run object-group id <object-group name> | include IP address

Hope this helps :)

Please rate.

Thanks
ABD

 

pavitpalsingh Wed, 06/24/2015 - 00:29
User Badges:

you can Log the session and  Issue : show running-config object-group network 

 

Open in notepad.

 

FIND  (ctrl + f) the IP 

Actions

This Discussion