How to view & verify object-group

Answered Question
Apr 14th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

If we run show object-group command, it will list down all the object-group on the firewall.


Pix(config)# show object-group


object-group network dmz_servers


  description: The DMZ shared servers


  network-object host 192.168.2.3


  network-object host 192.168.2.4


  network-object host 192.168.2.5


object-group network Partners


  description: The dealer and supplier partners


  network-object host 172.16.21.119


  network-object 192.168.7.0 255.255.255.0


  network-object 192.168.12.0 255.255.253.0



Is there any specific command how to show only specific object-group?

As example, if I only want to get what is inside dmz_servers only, which command should I use?


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

I’ve tried

show object-group dmz_servers

&

Show object-group network dmz_servers

But didn’t work. Please advice. Thanks


Correct Answer by Kureli Sankar about 6 years 6 months ago

You need to issue either


sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Wed, 04/14/2010 - 02:31
User Badges:
  • Cisco Employee,

Unfortunately you won't be able to show just that particular object.


The closest you can do is to list that particular object on top of your show output as follows:


sh run object-group network | b Partners


Hope that helps.

CCL Network Ser... Thu, 06/25/2015 - 11:23
User Badges:

i wonder why this feature is not added,as  it is becoming a nightmare to find exact NAT statement for a particular IP's esp.when you have thousands of object statements. CLI is becoming unmanageable 

Panos Kampanakis Wed, 04/14/2010 - 16:03
User Badges:
  • Cisco Employee,

You can do it using


show object-group network id dmz_servers


I hope it helps.


PK

Adam David Wed, 04/14/2010 - 19:09
User Badges:

thanks halijenn & pkampana for your reply.. forgot that ASA & PIX differ a little bit in their command.


Btw, this is the correct command to view specific group in both ASA & PIX


# ASA
sh run object-group id dmz_servers


# PIX
show object-group id dmz_servers

Adam David Sun, 10/17/2010 - 02:59
User Badges:

Hi all,


The command above can be used to verify object-group in ASA. But it won’t work against the object-group for service as below. Any advise in this matter would be highly appreciated.


The command below failed.

ASA5510# sh run object-group service Port_ABC
                                        ^
ERROR: % Invalid input detected at '^' marker.


This object-group actually exist on the firewall

object-group service Port_ABC tcp                                                                                                            
port-object eq 2000                                                                                                                         
port-object eq 2111                                                                                                                         
port-object eq 2222                              


ASA5510# sh run object-group ?


  icmp-type  Show 'icmp-type' type of object group(s)
  id         Show specific object group
  network    Show 'network' type of object group(s)
  protocol   Show 'protocol' type of object group(s)
  service    Show 'service' type of object group(s)
  |          Output modifiers
 



ASA5510# sh run object-group service ?


  |  Output modifiers
 

Correct Answer
Kureli Sankar Sun, 10/17/2010 - 06:10
User Badges:
  • Cisco Employee,

You need to issue either


sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword


-KS

Adam David Sun, 10/17/2010 - 06:16
User Badges:

Thanks again Kusankar for your help. How come I can miss "id" there . No wonder it never works.

yenaungoo Wed, 11/13/2013 - 19:10
User Badges:

Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)


My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group.


Thanks ahead,

Actions

This Discussion

Related Content