Hi Jeff,
These can be difficult to read if you find them in the running configuration. If you use the show access-list command, you can see the exact statements that are in effect. For example:
access-list Access_in extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log
Looks like:
ASA1(config)# show access-list Access_in
access-list Access_in; 24 elements; name hash: 0x49ffabc6
access-list Access_in line 1 extended permit object-group MyProto object-group My_hosts_1 object-group My_hosts_2 log informational interval 300 (hitcnt=0) 0x20b02f98
access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x7003edd0
access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0xa57780eb
access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq www log informational interval 300 (hitcnt=0) 0x2635cf29
access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq www log informational interval 300 (hitcnt=0) 0x9d5c28eb
access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xb6038e1e
access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xe1b23888
access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0x3e748362
access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0x013364af
access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xbefad335
access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xf5b22b90
access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 eq 9100 log informational interval 300 (hitcnt=0) 0xa6e822bb
access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 eq 9100 log informational interval 300 (hitcnt=0) 0xabd4e176
access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xcccf50dd
access-list Access_in line 1 extended permit tcp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xd92fc437
access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x848377f0
access-list Access_in line 1 extended permit tcp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc0e4b258
access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0x1b0e1b45
access-list Access_in line 1 extended permit udp host 192.168.1.1 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xc3caafb1
access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.3 range 34322 34325 log informational interval 300 (hitcnt=0) 0xacf16561
access-list Access_in line 1 extended permit udp host 192.168.1.2 host 192.168.1.4 range 34322 34325 log informational interval 300 (hitcnt=0) 0xbe05fae2
access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0x83280655
access-list Access_in line 1 extended permit tcp host 192.168.1.1 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xde224e26
access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.3 log informational interval 300 (hitcnt=0) 0xf97b1cec
access-list Access_in line 1 extended permit tcp host 192.168.1.2 eq ldap host 192.168.1.4 log informational interval 300 (hitcnt=0) 0xcbbd37bd
Here are the two object-groups that I created for this example:
ASA1(config)# show run object-group | begin My_hosts
object-group network My_hosts_1
network-object host 192.168.1.1
network-object host 192.168.1.2
object-group network My_hosts_2
network-object host 192.168.1.3
network-object host 192.168.1.4
Rene