Hi Asi,
You don’t have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:
ASA# show run | incl access-list VIRL
access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS
The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:
ASA# show access-list VIRL
access-list VIRL; 12 elements; name hash: 0xa226aadb
access-list VIRL line 1 extended permit tcp any object VIRL object-group VIRL_PORTS (hitcnt=5339) 0x34bff8c2
access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19399 (hitcnt=5339) 0x10a4e819
access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19401 (hitcnt=0) 0x28d7ccd3
access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19402 (hitcnt=0) 0xbd35246b
access-list VIRL line 1 extended permit tcp any host 192.168.1.1 range 17000 18000 (hitcnt=1) 0xe834b3a3
access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq www (hitcnt=44) 0x9ba2364f
access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19400 (hitcnt=0) 0x5a336e3c
By using object-groups, you can make your access-lists shorter and much easier to read.
Rene