Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Difference between these 2 object groups

Hi Everyone,

Need to understand about object-group network below

when i run the command    sh run object-group id subnet

on fw1  it shows

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

Same command on firewall 2 shows   

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

Need to understand if contents of both the firewall are same?

also if i remove config   below from fw2

network-object object 10.0.0.0

network-object object 172.16.0.0

network-object object 192.168.0.0

      

and add  the

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

which are same as fw 1  will it make any difference to the fw2?

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Difference between these 2 object groups

Hi again Mahesh,

The FW1 "object-group" defines the actual networks under with with the command "network-object".

The FW2 "object-group" defines the actual networks under with the command "network-object object". The "object" refers to a "object network".

So on FW2 you would need to issue these commands

show run object id 10.0.0.0

show run object id 172.16.0.0

show run object id 192.168.0.0

Then you will see the contents of the actual "object network" that are used UNDER the "object-group"

Their names do suggest that they would contain identical networks to the ones on FW1 but better be sure.

So it seems to me the only difference is how the same thing is configured.

FW1 has networks directly configured under "object-group" while the FW2 uses "object network" to define the networks and then groups those "object network" under one "object-group".

Hope this clarifies things

- Jouni

Super Bronze

Difference between these 2 object groups

Hi,

Had not tested this myself before to I configured this on my firewall

object network TEST

subnet 10.10.10.0 255.255.255.0

object network TEST-2

subnet 10.10.20.0 255.255.255.0

object-group network TEST-GROUP

network-object object TEST

network-object object TEST-2

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

access-list TEST extended permit ip object-group TEST-GROUP any

ASA(config)# sh access-list TEST

access-list TEST; 4 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.

I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.

I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.

You can naturally browse through the configuration to see where this "object-group" is used with

show run | inc

- Jouni

4 REPLIES
Super Bronze

Difference between these 2 object groups

Hi again Mahesh,

The FW1 "object-group" defines the actual networks under with with the command "network-object".

The FW2 "object-group" defines the actual networks under with the command "network-object object". The "object" refers to a "object network".

So on FW2 you would need to issue these commands

show run object id 10.0.0.0

show run object id 172.16.0.0

show run object id 192.168.0.0

Then you will see the contents of the actual "object network" that are used UNDER the "object-group"

Their names do suggest that they would contain identical networks to the ones on FW1 but better be sure.

So it seems to me the only difference is how the same thing is configured.

FW1 has networks directly configured under "object-group" while the FW2 uses "object network" to define the networks and then groups those "object network" under one "object-group".

Hope this clarifies things

- Jouni

Community Member

Difference between these 2 object groups

Hi Jouni,

On fw2  i did

sh run  object  id 10.0.0.0

object network 10.0.0.0

subnet 10.0.0.0 255.0.0.0

Seems this is same as Fw1.

As i am doing some cleanup work on firewalls if on fw 2 i add

network-object 10.0.0.0 255.0.0.0  and then delete the  network-object object 10.0.0.0 it should not cause any outage right?

IF i  implemented the above will iy cause any issues in ACL  where above objects are used?

Regards

MAhesh

Super Bronze

Difference between these 2 object groups

Hi,

Had not tested this myself before to I configured this on my firewall

object network TEST

subnet 10.10.10.0 255.255.255.0

object network TEST-2

subnet 10.10.20.0 255.255.255.0

object-group network TEST-GROUP

network-object object TEST

network-object object TEST-2

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

access-list TEST extended permit ip object-group TEST-GROUP any

ASA(config)# sh access-list TEST

access-list TEST; 4 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.

I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.

I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.

You can naturally browse through the configuration to see where this "object-group" is used with

show run | inc

- Jouni

Community Member

Difference between these 2 object groups

Hi Jouni,

When i will do this change hope all should go fine.

I ran the command  show run | inc   it shows Object group is used by some ACLs only.

So i will do this change on our maintenance window

Regards

Mahesh

217
Views
0
Helpful
4
Replies
CreatePlease to create content