Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to view & verify object-group

If we run show object-group command, it will list down all the object-group on the firewall.

Pix(config)# show object-group

object-group network dmz_servers

  description: The DMZ shared servers

  network-object host 192.168.2.3

  network-object host 192.168.2.4

  network-object host 192.168.2.5

object-group network Partners

  description: The dealer and supplier partners

  network-object host 172.16.21.119

  network-object 192.168.7.0 255.255.255.0

  network-object 192.168.12.0 255.255.253.0

Is there any specific command how to show only specific object-group?

As example, if I only want to get what is inside dmz_servers only, which command should I use?

I’ve tried

show object-group dmz_servers

&

Show object-group network dmz_servers

But didn’t work. Please advice. Thanks

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How to view & verify object-group

You need to issue either

sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword

-KS

8 REPLIES
Super Bronze

Re: How to view & verify object-group

Unfortunately you won't be able to show just that particular object.

The closest you can do is to list that particular object on top of your show output as follows:

sh run object-group network | b Partners

Hope that helps.

i wonder why this feature is

i wonder why this feature is not added,as  it is becoming a nightmare to find exact NAT statement for a particular IP's esp.when you have thousands of object statements. CLI is becoming unmanageable 

Cisco Employee

Re: How to view & verify object-group

You can do it using

show object-group network id dmz_servers

I hope it helps.

PK

New Member

Re: How to view & verify object-group

thanks halijenn & pkampana for your reply.. forgot that ASA & PIX differ a little bit in their command.

Btw, this is the correct command to view specific group in both ASA & PIX

# ASA
sh run object-group id dmz_servers

# PIX
show object-group id dmz_servers

New Member

Re: How to view & verify object-group

Hi all,

The command above can be used to verify object-group in ASA. But it won’t work against the object-group for service as below. Any advise in this matter would be highly appreciated.

The command below failed.

ASA5510# sh run object-group service Port_ABC
                                        ^
ERROR: % Invalid input detected at '^' marker.

This object-group actually exist on the firewall

object-group service Port_ABC tcp                                                                                                            
port-object eq 2000                                                                                                                         
port-object eq 2111                                                                                                                         
port-object eq 2222                              

ASA5510# sh run object-group ?

  icmp-type  Show 'icmp-type' type of object group(s)
  id         Show specific object group
  network    Show 'network' type of object group(s)
  protocol   Show 'protocol' type of object group(s)
  service    Show 'service' type of object group(s)
  |          Output modifiers
 


ASA5510# sh run object-group service ?

  |  Output modifiers
 

Cisco Employee

Re: How to view & verify object-group

You need to issue either

sh run object-group service

or

sh run object-group id Port_ABC -------> watch the "id" keyword

-KS

New Member

Re: How to view & verify object-group

Thanks again Kusankar for your help. How come I can miss "id" there . No wonder it never works.

New Member

How to view & verify object-group

Hi Anyone can suggest how many IP addresses can configure under a object-group network? (ASA 5550 ver 8.2)

My customer wants to configure 6000 IPs under a object-group and add the deny rule for this group.

Thanks ahead,

30511
Views
10
Helpful
8
Replies