Cisco ASA Object Group for Access-List

Lessons Discussion
15

Hi Jeff,

These can be difficult to read if you find them in the running configuration. If you use the show access-list command, you can see the exact statements that are in effect. For example:

access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log

Looks like:

ASA1(config)# show access-list Access_in
access-list Access_in; 24 elements; name hash: 0x49ffabc6
access-list Access_in line 1 extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log informational interval 300 (hitcnt=0) 0x20b02f98 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x7003edd0 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0xa57780eb 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x2635cf29 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0x9d5c28eb 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xb6038e1e 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xe1b23888 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0x3e748362 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0x013364af 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xbefad335 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xf5b22b90 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xa6e822bb 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xabd4e176 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xcccf50dd 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xd92fc437 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x848377f0 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc0e4b258 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x1b0e1b45 
  access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc3caafb1 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xacf16561 
  access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xbe05fae2 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0x83280655 
  access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xde224e26 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0xf97b1cec 
  access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xcbbd37bd

Here are the two object-groups that I created for this example:

ASA1(config)# show run object-group | begin My_hosts  
object-group network My_hosts_1
 network-object host 192.168.1.1
 network-object host 192.168.1.2
object-group network My_hosts_2
 network-object host 192.168.1.3
 network-object host 192.168.1.4

Rene

1 Like