cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
76959
Views
25
Helpful
9
Replies

How to view & verify object-group

Adam David
Level 1
Level 1

If we run show object-group command, it will list down all the object-group on the firewall.

Pix(config)# show object-group

object-group network dmz_servers

  description: The DMZ shared servers

  network-object host 192.168.2.3

  network-object host 192.168.2.4

  network-object host 192.168.2.5

object-group network Partners

  description: The dealer and supplier partners

  network-object host 172.16.21.119

  network-object 192.168.7.0 255.255.255.0

  network-object 192.168.12.0 255.255.253.0

Is there any specific command how to show only specific object-group?

As example, if I only want to get what is inside dmz_servers only, which command should I use?

I’ve tried

show object-group dmz_servers

&

Show object-group network dmz_servers

But didn’t work. Please advice. Thanks

1 Accepted Solution

Accepted Solutions

You need to issue either

sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword

-KS

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately you won't be able to show just that particular object.

The closest you can do is to list that particular object on top of your show output as follows:

sh run object-group network | b Partners

Hope that helps.

i wonder why this feature is not added,as  it is becoming a nightmare to find exact NAT statement for a particular IP's esp.when you have thousands of object statements. CLI is becoming unmanageable 

Panos Kampanakis
Cisco Employee
Cisco Employee

You can do it using

show object-group network id dmz_servers

I hope it helps.

PK

thanks halijenn & pkampana for your reply.. forgot that ASA & PIX differ a little bit in their command.

Btw, this is the correct command to view specific group in both ASA & PIX

# ASA
sh run object-group id dmz_servers

# PIX
show object-group id dmz_servers

Hi all,

The command above can be used to verify object-group in ASA. But it won’t work against the object-group for service as below. Any advise in this matter would be highly appreciated.

The command below failed.

ASA5510# sh run object-group service Port_ABC
                                        ^
ERROR: % Invalid input detected at '^' marker.

This object-group actually exist on the firewall

object-group service Port_ABC tcp                                                                                                            
port-object eq 2000                                                                                                                         
port-object eq 2111                                                                                                                         
port-object eq 2222                              

ASA5510# sh run object-group ?

  icmp-type  Show 'icmp-type' type of object group(s)
  id         Show specific object group
  network    Show 'network' type of object group(s)
  protocol   Show 'protocol' type of object group(s)
  service    Show 'service' type of object group(s)
  |          Output modifiers
 


ASA5510# sh run object-group service ?

  |  Output modifiers
 

You need to issue either

sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword

-KS

Thanks again Kusankar for your help. How come I can miss "id" there . No wonder it never works.

Thanks

yenaungoo
Level 1
Level 1

Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)

My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group.

Thanks ahead,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: