×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Difference between these 2 object groups

Answered Question
Oct 29th, 2013
User Badges:

Hi Everyone,


Need to understand about object-group network below


when i run the command    sh run object-group id subnet


on fw1  it shows

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0



Same command on firewall 2 shows   


network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0


Need to understand if contents of both the firewall are same?


also if i remove config   below from fw2

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

      

and add  the

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0


which are same as fw 1  will it make any difference to the fw2?



Regards


Mahesh

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


Had not tested this myself before to I configured this on my firewall


object network TEST

subnet 10.10.10.0 255.255.255.0


object network TEST-2

subnet 10.10.20.0 255.255.255.0


object-group network TEST-GROUP

network-object object TEST

network-object object TEST-2

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0


access-list TEST extended permit ip object-group TEST-GROUP any


ASA(config)# sh access-list TEST

access-list TEST; 4 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29



It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.


I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.


I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.


You can naturally browse through the configuration to see where this "object-group" is used with


show run | inc


- Jouni

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi again Mahesh,


The FW1 "object-group" defines the actual networks under with with the command "network-object".


The FW2 "object-group" defines the actual networks under with the command "network-object object". The "object" refers to a "object network".


So on FW2 you would need to issue these commands


show run object id 10.0.0.0

show run object id 172.16.0.0

show run object id 192.168.0.0


Then you will see the contents of the actual "object network" that are used UNDER the "object-group"


Their names do suggest that they would contain identical networks to the ones on FW1 but better be sure.


So it seems to me the only difference is how the same thing is configured.


FW1 has networks directly configured under "object-group" while the FW2 uses "object network" to define the networks and then groups those "object network" under one "object-group".


Hope this clarifies things


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 10/29/2013 - 13:02
User Badges:
  • Super Bronze, 10000 points or more

Hi again Mahesh,


The FW1 "object-group" defines the actual networks under with with the command "network-object".


The FW2 "object-group" defines the actual networks under with the command "network-object object". The "object" refers to a "object network".


So on FW2 you would need to issue these commands


show run object id 10.0.0.0

show run object id 172.16.0.0

show run object id 192.168.0.0


Then you will see the contents of the actual "object network" that are used UNDER the "object-group"


Their names do suggest that they would contain identical networks to the ones on FW1 but better be sure.


So it seems to me the only difference is how the same thing is configured.


FW1 has networks directly configured under "object-group" while the FW2 uses "object network" to define the networks and then groups those "object network" under one "object-group".


Hope this clarifies things


- Jouni

mahesh18 Tue, 10/29/2013 - 13:54
User Badges:

Hi Jouni,


On fw2  i did


sh run  object  id 10.0.0.0

object network 10.0.0.0

subnet 10.0.0.0 255.0.0.0


Seems this is same as Fw1.


As i am doing some cleanup work on firewalls if on fw 2 i add

network-object 10.0.0.0 255.0.0.0  and then delete the  network-object object 10.0.0.0 it should not cause any outage right?


IF i  implemented the above will iy cause any issues in ACL  where above objects are used?


Regards


MAhesh

Correct Answer
Jouni Forss Tue, 10/29/2013 - 14:07
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Had not tested this myself before to I configured this on my firewall


object network TEST

subnet 10.10.10.0 255.255.255.0


object network TEST-2

subnet 10.10.20.0 255.255.255.0


object-group network TEST-GROUP

network-object object TEST

network-object object TEST-2

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0


access-list TEST extended permit ip object-group TEST-GROUP any


ASA(config)# sh access-list TEST

access-list TEST; 4 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29



It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.


I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.


I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.


You can naturally browse through the configuration to see where this "object-group" is used with


show run | inc


- Jouni

mahesh18 Tue, 10/29/2013 - 14:22
User Badges:

Hi Jouni,


When i will do this change hope all should go fine.

I ran the command  show run | inc   it shows Object group is used by some ACLs only.


So i will do this change on our maintenance window


Regards


Mahesh

Actions

This Discussion