How to view & verify object-group

Answered Question
Apr 14th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

If we run show object-group command, it will list down all the object-group on the firewall.

Pix(config)# show object-group

object-group network dmz_servers

  description: The DMZ shared servers

  network-object host 192.168.2.3

  network-object host 192.168.2.4

  network-object host 192.168.2.5

object-group network Partners

  description: The dealer and supplier partners

  network-object host 172.16.21.119

  network-object 192.168.7.0 255.255.255.0

  network-object 192.168.12.0 255.255.253.0

Is there any specific command how to show only specific object-group?

As example, if I only want to get what is inside dmz_servers only, which command should I use?

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

I’ve tried

show object-group dmz_servers

&

Show object-group network dmz_servers

But didn’t work. Please advice. Thanks

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 1 month ago

You need to issue either

sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Wed, 04/14/2010 - 02:31

Unfortunately you won't be able to show just that particular object.

The closest you can do is to list that particular object on top of your show output as follows:

sh run object-group network | b Partners

Hope that helps.

CCL Network Ser... Thu, 06/25/2015 - 11:23

i wonder why this feature is not added,as  it is becoming a nightmare to find exact NAT statement for a particular IP's esp.when you have thousands of object statements. CLI is becoming unmanageable 

Adam David Wed, 04/14/2010 - 19:09

thanks halijenn & pkampana for your reply.. forgot that ASA & PIX differ a little bit in their command.

Btw, this is the correct command to view specific group in both ASA & PIX

# ASA
sh run object-group id dmz_servers

# PIX
show object-group id dmz_servers

Adam David Sun, 10/17/2010 - 02:59

Hi all,

The command above can be used to verify object-group in ASA. But it won’t work against the object-group for service as below. Any advise in this matter would be highly appreciated.

The command below failed.

ASA5510# sh run object-group service Port_ABC
                                        ^
ERROR: % Invalid input detected at '^' marker.

This object-group actually exist on the firewall

object-group service Port_ABC tcp                                                                                                            
port-object eq 2000                                                                                                                         
port-object eq 2111                                                                                                                         
port-object eq 2222                              

ASA5510# sh run object-group ?

  icmp-type  Show 'icmp-type' type of object group(s)
  id         Show specific object group
  network    Show 'network' type of object group(s)
  protocol   Show 'protocol' type of object group(s)
  service    Show 'service' type of object group(s)
  |          Output modifiers
 


ASA5510# sh run object-group service ?

  |  Output modifiers
 

Correct Answer
Kureli Sankar Sun, 10/17/2010 - 06:10

You need to issue either

sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword

-KS

Adam David Sun, 10/17/2010 - 06:16

Thanks again Kusankar for your help. How come I can miss "id" there . No wonder it never works.

yenaungoo Wed, 11/13/2013 - 19:10

Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)

My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group.

Thanks ahead,

Actions

This Discussion

Related Content