Cisco ASA Object Group for Access-List

Hi Asi,

You don’t have to use object-groups but they can make your access-lists much easier to read. Let me give you an example:

ASA# show run | incl access-list VIRL
access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS

The access-list above only has one line. The object called VIRL can access the ports in VIRL_PORTS. When you take a closer look, you can see there are quite some statements:

ASA# show access-list VIRL      
access-list VIRL; 12 elements; name hash: 0xa226aadb
access-list VIRL line 1 extended permit tcp any object VIRL object-group VIRL_PORTS (hitcnt=5339) 0x34bff8c2 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19399 (hitcnt=5339) 0x10a4e819 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19401 (hitcnt=0) 0x28d7ccd3 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19402 (hitcnt=0) 0xbd35246b 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 range 17000 18000 (hitcnt=1) 0xe834b3a3 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq www (hitcnt=44) 0x9ba2364f 
  access-list VIRL line 1 extended permit tcp any host 192.168.1.1 eq 19400 (hitcnt=0) 0x5a336e3c

By using object-groups, you can make your access-lists shorter and much easier to read.

Rene

1 Like