Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2646
Views
0
Helpful
2
Replies

Deleting Group object in ASA

Go to solution
mahesh18
Level 6
Level 6

‎10-31-2013 09:51 AM - edited ‎03-11-2019 07:58 PM

Hi Everyone,

Fw1  has say object group subnet1

Fw1#sh run object-group id  subnet1

object-group network subnet1

group-object test

then i did

Fw1#sh run object-group id test

object-group network test

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

**************************************************************

Fw2#sh run object-group id subnet1

object-group network subnet1

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

Also Fw2 has

sh run object-group id test

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

My question is if i add the  config below   to Fw2 

sh run object-group id subnet1

object-group network subnet1

group-object test

and then delete the below config from fw2

Fw2#sh run object-group id subnet1

object-group network subnet1

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

Will it make any difference in running config of fw2?

will it cause any outage?

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-31-2013 10:01 AM

Hi,

So if I understood you correctly then you have

  • FW1 with an "object-group" configured that contains inside it another "object-group"
  • FW2 with an "object-group" with 3 "network-object" statements which you want to remove and replace with a similiar "object-group" as in FW1

If this is true then I guess this is a similiar thing that you asked before.

You would have to have this already on FW2 or configure this on the FW2

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

You would then add this "object-group" under the other "object-group"

object-group network subnet1

group-object test

And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines

no network-object 10.0.0.0 255.0.0.0

no network-object 192.168.0.0 255.255.0.0

no network-object 172.16.0.0 255.240.0.0

With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.

Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.

I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-31-2013 10:01 AM

Hi,

So if I understood you correctly then you have

  • FW1 with an "object-group" configured that contains inside it another "object-group"
  • FW2 with an "object-group" with 3 "network-object" statements which you want to remove and replace with a similiar "object-group" as in FW1

If this is true then I guess this is a similiar thing that you asked before.

You would have to have this already on FW2 or configure this on the FW2

object-group network test

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

You would then add this "object-group" under the other "object-group"

object-group network subnet1

group-object test

And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines

no network-object 10.0.0.0 255.0.0.0

no network-object 192.168.0.0 255.255.0.0

no network-object 172.16.0.0 255.240.0.0

With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.

Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.

I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎10-31-2013 11:50 AM

Hi Jouni,

Yes you understood correctly.

Its always good to get advice from you.

Best regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card