Deleting Group object in ASA

Answered Question
Oct 31st, 2013
User Badges:

Hi Everyone,


Fw1  has say object group subnet1


Fw1#sh run object-group id  subnet1

object-group network subnet1

group-object test


then i did


Fw1#sh run object-group id test

object-group network test

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0


**************************************************************

Fw2#sh run object-group id subnet1

object-group network subnet1

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0


Also Fw2 has

sh run object-group id test

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0


My question is if i add the  config below   to Fw2 

sh run object-group id subnet1

object-group network subnet1

group-object test



and then delete the below config from fw2


Fw2#sh run object-group id subnet1

object-group network subnet1

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0



Will it make any difference in running config of fw2?

will it cause any outage?


Regards


Mahesh

Correct Answer by Jouni Forss about 3 years 9 months ago

Hi,


So if I understood you correctly then you have


  • FW1 with an "object-group" configured that contains inside it another "object-group"
  • FW2 with an "object-group" with 3 "network-object" statements which you want to remove and replace with a similiar "object-group" as in FW1


If this is true then I guess this is a similiar thing that you asked before.


You would have to have this already on FW2 or configure this on the FW2


object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0


You would then add this "object-group" under the other "object-group"


object-group network subnet1

group-object test


And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines


no network-object 10.0.0.0 255.0.0.0

no network-object 192.168.0.0 255.255.0.0

no network-object 172.16.0.0 255.240.0.0


With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.


Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.


I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Thu, 10/31/2013 - 10:01
User Badges:
  • Super Bronze, 10000 points or more

Hi,


So if I understood you correctly then you have


  • FW1 with an "object-group" configured that contains inside it another "object-group"
  • FW2 with an "object-group" with 3 "network-object" statements which you want to remove and replace with a similiar "object-group" as in FW1


If this is true then I guess this is a similiar thing that you asked before.


You would have to have this already on FW2 or configure this on the FW2


object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0


You would then add this "object-group" under the other "object-group"


object-group network subnet1

group-object test


And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines


no network-object 10.0.0.0 255.0.0.0

no network-object 192.168.0.0 255.255.0.0

no network-object 172.16.0.0 255.240.0.0


With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.


Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.


I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.


- Jouni

mahesh18 Thu, 10/31/2013 - 11:50
User Badges:

Hi Jouni,


Yes you understood correctly.

Its always good to get advice from you.


Best regards

MAhesh

Actions

This Discussion