10-31-2013 09:51 AM - edited 03-11-2019 07:58 PM
Hi Everyone,
Fw1 has say object group subnet1
Fw1#sh run object-group id subnet1
object-group network subnet1
group-object test
then i did
Fw1#sh run object-group id test
object-group network test
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
**************************************************************
Fw2#sh run object-group id subnet1
object-group network subnet1
network-object 10.0.0.0 255.0.0.0
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
Also Fw2 has
sh run object-group id test
object-group network test
network-object object 10.0.0.0
network-object object 172.16.0.0
network-object object 192.168.0.0
My question is if i add the config below to Fw2
sh run object-group id subnet1
object-group network subnet1
group-object test
and then delete the below config from fw2
Fw2#sh run object-group id subnet1
object-group network subnet1
network-object 10.0.0.0 255.0.0.0
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
Will it make any difference in running config of fw2?
will it cause any outage?
Regards
Mahesh
Solved! Go to Solution.
10-31-2013 10:01 AM
Hi,
So if I understood you correctly then you have
If this is true then I guess this is a similiar thing that you asked before.
You would have to have this already on FW2 or configure this on the FW2
object-group network test
network-object object 10.0.0.0
network-object object 172.16.0.0
network-object object 192.168.0.0
You would then add this "object-group" under the other "object-group"
object-group network subnet1
group-object test
And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines
no network-object 10.0.0.0 255.0.0.0
no network-object 192.168.0.0 255.255.0.0
no network-object 172.16.0.0 255.240.0.0
With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.
Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.
I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.
- Jouni
10-31-2013 10:01 AM
Hi,
So if I understood you correctly then you have
If this is true then I guess this is a similiar thing that you asked before.
You would have to have this already on FW2 or configure this on the FW2
object-group network test
network-object object 10.0.0.0
network-object object 172.16.0.0
network-object object 192.168.0.0
You would then add this "object-group" under the other "object-group"
object-group network subnet1
group-object test
And while under the "object-group network subnet1" configuration space you would remove the "network-object" configuration lines
no network-object 10.0.0.0 255.0.0.0
no network-object 192.168.0.0 255.255.0.0
no network-object 172.16.0.0 255.240.0.0
With that order you should have the same subnets/networks under the "object-group" all the time. You SHOULD NOT remove the "subnet1" object though if its in use in an ACL I think the ASA wont even let you remove it.
Again if these are used only for interface ACLs then I imagine these changes wouldnt cause a problem. If they would be used for NAT then I am not so sure.
I personally am not a big fan of grouping objects under other objects. In the long run the configurations become hard to read.
- Jouni
10-31-2013 11:50 AM
Hi Jouni,
Yes you understood correctly.
Its always good to get advice from you.
Best regards
MAhesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: