Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Editing hosts into an already configured object-group on ASA5520

I am configuring site-to-site ipsec vpn tunnels and I use object-groups with ACLs.  How do you add host IPs to an already created object-group without having to tear down the object-group?

I tried adding hosts in ASDM into an already defined object-group and ASDM complained at me and gave me an error.  However, after the error it looked like it took it anyway.

Thanks,

glh

4 REPLIES
New Member

Re: Editing hosts into an already configured object-group on ASA

Greg,

You should be able to modified an existing object-group without problems providing that you are putting in the appropriate parameters.  Try ssh'ing into the ASA devices.

Find that object-group that you want to modify, I will show an object-group HQ_LAN for example only.

asa5520# sh run | be object-group

asa5520# conf t

asa5520(config)# object-group nework HQ_LAN

asa5520(config-network)# network-object 192.168.200.10 255.255.255.255  => Single host

asa5520(config-network)# network-object 192.168.200.0 255.255.255.0        => Class C network 192.168.200.x

asa5520(config-network)# exit

asa5520(config-network)# wr mem

Hope this answers your question.  If you are looking at the ASDM, the concepts should be exactly the same just ensure that you are modifing the appropriate object-group and using the correct syntax.

New Member

Re: Editing hosts into an already configured object-group on ASA

Thanks for the quick reply.  So, I won't have to remove the specific acces

s-list associated with this object-group first?

I can just go ahead and edit it like you have shown?

G -

New Member

Re: Editing hosts into an already configured object-group on ASA

Greg,

You should be able to add the new Host to the object-group. If you are trying to be more specific with the object-group than yes you should remove the other full subnet object from the object-group, however be aware that when you are changing the object-group those changes will affect all rules "ACL" "NAT" "Xlates" as well if they are using the same object-group with those statements.

Object-groups can be a great tool, or a nightmare.  Ensure that your naming conventions clearly give reason for the object-groups to alleviate problems.

Thanks,

Joe

New Member

Re: Editing hosts into an already configured object-group on ASA

Great, thank you.

g -

5364
Views
0
Helpful
4
Replies