Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Finding what object groups an ip address belongs to ?

How can i find the object-group or object-groups an ip address belongs to/is part of in an ASA running conf ?

eg. sh run | i ip address or sh run object-group | i <ip add> gives me  the below output

network-object <ip add>

network-object <ip add>

network-object <ip add>

is there a command option that lists the ip address alongwith the object-group names that it belongs to ? as of now i have to look through the output of

"sh run object-group net" manually or save the running config to a text file and use the find function.

Regards,

Shiva

16 REPLIES

Re: Finding what object groups an ip address belongs to ?

Hi,

You can do the command:
sh run | i x.x.x.x

This will show all part of the configuration where the x.x.x.x IP belongs to.
For instance, if x.x.x.x is part of a static command, and ACL, and object-group, etc, it will prompt at the output of that command.

If your using names, you can disable that temporarily with the ''no names'' command.

Let me know if this does not help, because you're mentioning this command already.

Federico.

New Member

Re: Finding what object groups an ip address belongs to ?

Can someone please tell me where the link to Netypro is these days??  It used to be an option, but can no longer find it

Re: Finding what object groups an ip address belongs to ?

Ooopsss...

You did not like the answer, I'm sorry.

The best I can find is to do:

sh run | begin x.x.x.x

That will show all parts of the running-config where the IP address belongs along with the object-group names.

Edit- Sorry, this is not what you're looking for, I apologize for the misleading information. I'll try and see if I find an answer for you.

Federico.

Re: Finding what object groups an ip address belongs to ?

Not the answer you were looking for...

But can't find a command that shows you just the name of the object-group and the IP to which it belongs.

Think you're stucked with the ''sh run'' or two show commands (one for the IP and one for the object-group)

Perhaps somebody else can correct me if I'm wrong.

Federico.

New Member

Re: Finding what object groups an ip address belongs to ?

I think we are stuck with limited command options in the asa, but such a feature is available in cisco router IOS as per info from a friend of mine. It is something like that shown below, i am yet to try that on a router if someone is very curious you can try and let us all know.

sh run object-group | section

Regards,

Shiva

Cisco Employee

Re: Finding what object groups an ip address belongs to ?

Shiva,

You are correct. There is no | s command in the ASA.

But, you can issue the following. sh run said that it is in the network object-group so, I issued a sh object-group network

ASA# sh run | i 3.3.3.3         
network-object host 3.3.3.3


ASA# sh run object-group network
object-group network 4080
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3

-KS

New Member

Re: Finding what object groups an ip address belongs to ?

Hi KS,

i think you missed parts of my initial query, the commands that you used would be perefctly fine if you had only one network object group defined in the configuration and if the ip was part of only that one group, i was looking for a command that would list all the object groups an object is part of.

I think this would be a handy feature to have in future releases of the ASA SW, is someone from the product development listening ?

Regards,

Shiva

New Member

Re: Finding what object groups an ip address belongs to ?

Maybe not for ASAs, but for routers/switches...

sh object-group | inc object|x.x.x.x

New Member

Re: Finding what object groups an ip address belongs to ?

Hi,

this is not possible through ASA CLI, but is possible through ASDM.

Configuration->Firewall->AccessRules->Addresses(in the right most conrner), screenshot attached for details

SPK

New Member

Re: Finding what object groups an ip address belongs to ?

There is an even easier way to do this in ASDM. If you look at the screenshot posted by UST_GLOBAL, and right click on the content of one of the groups, you will be able to select "where used". This will show you a list of all the places this address is used.

New Member

Re: Finding what object groups an ip address belongs to ?

it was described under the impression that we know only the IP address details and not the object group name. Consider there is a large number of object-groups present if we give the IP address in the filter of the "Addresses" will give all the object-group

SPK

New Member

Re: Finding what object groups an ip address belongs to ?

Maybe not exactly what you were looking for but this is as close as I was ever able to get w/o ASDM.

no names

sho run object-group network | i object-group|1.2.3.4

you'll get the object-group names and 1.2.3.4 is the IP address.

Brad

New Member

BEST ANSWER.... thanks, this

BEST ANSWER.... thanks, this helped me out greatly.

New Member

encountered recently the same

encountered recently the same task - find object by its IP and I found simple and easy way:

#show running-config object network in-line | i x.x.x.x

and one can see name and IP address in one line

object network HOST-1 host 10.1.y.y
object network HOST-2 host 10.1.y.y
object network HOST-3 host 10.1.y.y

no need to use double grep

New Member

Hi Shiva,There is no direct

Hi Shiva,

There is no direct way of finding what object group does an IP belong to. However if the IP is specified in the configuration, then

you can do a

 

packet-tracer input inside tcp <source Ip< <port number> <destination ip> <destination port>

This will pull the ACL with the object-group and display.

now execute

sh run object-group id <object-group name> | include IP address

Hope this helps :)

Please rate.

Thanks
ABD

 

New Member

you can Log the session and

you can Log the session and  Issue : show running-config object-group network 

 

Open in notepad.

 

FIND  (ctrl + f) the IP 

7800
Views
26
Helpful
16
Replies
CreatePlease to create content