Solved: Finding what object groups an ip address belongs to ?

Shiva Prasad · ‎03-10-2010

How can i find the object-group or object-groups an ip address belongs to/is part of in an ASA running conf ?

eg. sh run | i ip address or sh run object-group | i <ip add> gives me the below output

network-object <ip add>

is there a command option that lists the ip address alongwith the object-group names that it belongs to ? as of now i have to look through the output of

"sh run object-group net" manually or save the running config to a text file and use the find function.

Regards,

Shiva

bradley.thornton · ‎08-23-2011

Maybe not exactly what you were looking for but this is as close as I was ever able to get w/o ASDM.

no names

sho run object-group network | i object-group|1.2.3.4

you'll get the object-group names and 1.2.3.4 is the IP address.

Brad

View solution in original post

Federico Coto Fajardo · ‎03-10-2010

Hi,

You can do the command:
sh run | i x.x.x.x

This will show all part of the configuration where the x.x.x.x IP belongs to.
For instance, if x.x.x.x is part of a static command, and ACL, and object-group, etc, it will prompt at the output of that command.

If your using names, you can disable that temporarily with the ''no names'' command.

Let me know if this does not help, because you're mentioning this command already.

Federico.

gginty · ‎03-10-2010

Can someone please tell me where the link to Netypro is these days?? It used to be an option, but can no longer find it

Federico Coto Fajardo · ‎03-10-2010

Ooopsss...

You did not like the answer, I'm sorry.

The best I can find is to do:

sh run | begin x.x.x.x

That will show all parts of the running-config where the IP address belongs along with the object-group names.

Edit- Sorry, this is not what you're looking for, I apologize for the misleading information. I'll try and see if I find an answer for you.

Federico.

Federico Coto Fajardo · ‎03-10-2010

Not the answer you were looking for...

But can't find a command that shows you just the name of the object-group and the IP to which it belongs.

Think you're stucked with the ''sh run'' or two show commands (one for the IP and one for the object-group)

Perhaps somebody else can correct me if I'm wrong.

Federico.

Shiva Prasad · ‎03-10-2010

I think we are stuck with limited command options in the asa, but such a feature is available in cisco router IOS as per info from a friend of mine. It is something like that shown below, i am yet to try that on a router if someone is very curious you can try and let us all know.

sh run object-group | section

Regards,

Shiva

Kureli Sankar · ‎03-10-2010

Shiva,

You are correct. There is no | s command in the ASA.

But, you can issue the following. sh run said that it is in the network object-group so, I issued a sh object-group network

ASA# sh run | i 3.3.3.3
network-object host 3.3.3.3

ASA# sh run object-group network
object-group network 4080
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3

-KS

Shiva Prasad · ‎03-11-2010

Hi KS,

i think you missed parts of my initial query, the commands that you used would be perefctly fine if you had only one network object group defined in the configuration and if the ip was part of only that one group, i was looking for a command that would list all the object groups an object is part of.

I think this would be a handy feature to have in future releases of the ASA SW, is someone from the product development listening ?

Regards,

Shiva

markford2 · ‎05-31-2011

Maybe not for ASAs, but for routers/switches...

sh object-group | inc object|x.x.x.x

UST GLOBAL · ‎07-07-2011

Hi,

this is not possible through ASA CLI, but is possible through ASDM.

Configuration->Firewall->AccessRules->Addresses(in the right most conrner), screenshot attached for details

SPK

Erik Ingeberg · ‎07-07-2011

There is an even easier way to do this in ASDM. If you look at the screenshot posted by UST_GLOBAL, and right click on the content of one of the groups, you will be able to select "where used". This will show you a list of all the places this address is used.

UST GLOBAL · ‎07-07-2011

it was described under the impression that we know only the IP address details and not the object group name. Consider there is a large number of object-groups present if we give the IP address in the filter of the "Addresses" will give all the object-group

SPK

bradley.thornton · ‎08-23-2011

Maybe not exactly what you were looking for but this is as close as I was ever able to get w/o ASDM.

no names

sho run object-group network | i object-group|1.2.3.4

you'll get the object-group names and 1.2.3.4 is the IP address.

Brad

andy · ‎08-03-2015

BEST ANSWER.... thanks, this helped me out greatly.

Ruslan Moldaliev · ‎12-22-2016

encountered recently the same task - find object by its IP and I found simple and easy way:

#show running-config object network in-line | i x.x.x.x

and one can see name and IP address in one line

object network HOST-1 host 10.1.y.y
object network HOST-2 host 10.1.y.y
object network HOST-3 host 10.1.y.y

no need to use double grep