Adding Object Groups; Adding A Protocol Object Group; Adding A Network Object Group; Adding A Service Object Group - Cisco PIX 500 Series Configuration Manual

Simplifying Access Lists with Object Grouping
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of
Note
actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object
groups. In many cases, object groups create more ACEs than if you added them manually, because
creating ACEs manually leads you to summarize addresses more than an object group does. To view the
number of expanded ACEs in an access list, enter the show access-list access_list_name command.

Adding Object Groups

This section describes how to add object groups.
This section includes the following topics:
•
•
•
•

Adding a Protocol Object Group

To add or change a protocol object group, perform the following steps. After you add the group, you can
add more objects as required by following this procedure again for the same group name and specifying
additional objects. You do not need to reenter existing objects; the commands you already set remain in
place unless you remove them with the no form of the command.
To add a protocol group, perform the following steps:
Step 1 To add a protocol group, enter the following command:
hostname(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to protocol configuration mode.
(Optional) To add a description, enter the following command:
Step 2
hostname(config-protocol)# description text
The description can be up to 200 characters.
To define the protocols in the group, enter the following command for each protocol:
Step 3
hostname(config-protocol)# protocol-object protocol
The protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for
example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you
can specify, see the
Cisco Security Appliance Command Line Configuration Guide
16-12
Adding a Protocol Object Group, page 16-12
Adding a Network Object Group, page 16-13
Adding a Service Object Group, page 16-13
Adding an ICMP Type Object Group, page 16-14
"Protocols and Applications" section on page
Chapter 16 Identifying Traffic with Access Lists
D-11.
OL-12172-03