Adding Object Groups - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 16
Identifying Traffic with Access Lists
The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of
Note
actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object
groups. In many cases, object groups create more ACEs than if you added them manually, because
creating ACEs manually leads you to summarize addresses more than an object group does. To view the
number of expanded ACEs in an access list, enter the show access-list access_list_name command.
Adding Object Groups
This section describes how to add object groups.
This section includes the following topics:
•
•
•
•
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a protocol group, follow these steps:
To add a protocol group, enter the following command:
Step 1
hostname(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to protocol configuration mode.
(Optional) To add a description, enter the following command:
Step 2
hostname(config-protocol)# description text
The description can be up to 200 characters.
To define the protocols in the group, enter the following command for each protocol:
Step 3
hostname(config-protocol)# protocol-object protocol
The protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for
example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you
can specify, see the
For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands:
hostname(config)# object-group protocol tcp_udp_icmp
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object icmp
OL-10088-01
Adding a Protocol Object Group, page 16-11
Adding a Network Object Group, page 16-12
Adding a Service Object Group, page 16-12
Adding an ICMP Type Object Group, page 16-13
"Protocols and Applications" section on page
Simplifying Access Lists with Object Grouping
D-11.
Cisco Security Appliance Command Line Configuration Guide
16-11
Advertisement
Table of Contents
Troubleshooting
