Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

inverse object-group concept

Does Cisco have a way to write an ACL to block the opposite of an object-group?

For example, I want to write an ACL allowing all traffic other than to object-group Corp_Net...



Everyone's tags (2)
Super Bronze

inverse object-group concept


Well usually you build the required ACL from a combination of "permit" and "deny" statement. To my understanding there is no other way to use an "object-group" other than to use it as a source or destination of a permit or deny statement. The contents under the "object-group" will be used, nothing else.

I am not sure what the exact requirement in the above is but I would imagine it would be something like this

access-list ACL remark Deny all traffic to Corp_NET

access-list ACL deny ip any object-group Corp_NET

access-list ACL remark Allow all other traffic

access-list ACL permit ip any any

Naturally the above would a pretty simple example of a situation where you want to block traffic from behind some interface to a corporate network and then allow all other traffic.

- Jouni

New Member

I was also wanting to find a

I was also wanting to find a way to invert (or not) an object-group. My use case is to deny access to the internet. It would be difficult to put an object group together that has all public IP space. It would be easier to make a group that has all private IP space, and permit everything that doesn't match.

CreatePlease to create content