Nesting Object Groups - Cisco FirePOWER ASA 5500 series Configuration Manual

Security appliance command line
Hide thumbs Also See for FirePOWER ASA 5500 series:
Table of Contents

Advertisement

Simplifying Access Lists with Object Grouping
See the
For example, to create an ICMP type group that includes echo-reply and echo (for controlling ping),
enter the following commands:
hostname(config)# object-group icmp-type ping
hostname(config-service)# description Ping Group
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object echo-reply

Nesting Object Groups

To nest an object group within another object group of the same type, first create the group that you want
to nest according to the
Step 1
To add or edit an object group under which you want to nest another object group, enter the following
command:
hostname(config)# object-group {{protocol | network | icmp-type} grp_id | service grp_id
{tcp | udp | tcp-udp}}
To add the specified group under the object group you specified in Step 1, enter the following command:
Step 2
hostname(config-group_type)# group-object grp_id
The nested group must be of the same type.
You can mix and match nested group objects and regular objects within an object group.
For example, you create network object groups for privileged users from various departments:
hostname(config)# object-group network eng
hostname(config-network)# network-object host 10.1.1.5
hostname(config-network)# network-object host 10.1.1.9
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network hr
hostname(config-network)# network-object host 10.1.2.8
hostname(config-network)# network-object host 10.1.2.12
hostname(config-network)# object-group network finance
hostname(config-network)# network-object host 10.1.4.89
hostname(config-network)# network-object host 10.1.4.100
You then nest all three groups together as follows:
hostname(config)# object-group network admin
hostname(config-network)# group-object eng
hostname(config-network)# group-object hr
hostname(config-network)# group-object finance
You only need to specify the admin object group in your ACE as follows:
hostname(config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29
Cisco Security Appliance Command Line Configuration Guide
16-14
"ICMP Types" section on page D-15
"Adding Object Groups" section on page
Chapter 16
for a list of ICMP types.
16-11. Then follow these steps:
Identifying Traffic with Access Lists
OL-10088-01

Advertisement

Table of Contents
loading

This manual is also suitable for:

Pix 500 seriesCisco asa 5500 series

Table of Contents