Nesting object groups – Cisco ASA 5505 User Manual

13-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 13 Configuring Objects

Configuring Objects and Groups

Nesting Object Groups

You can nest object groups hierarchically so that one object group can contain other object groups of the
same type and you can mix and match nested group objects and regular objects within an object group.
The ASA does not support IPv6 nested object groups, however, so you cannot group an object with IPv6
entities under another IPv6 object-group.

To nest an object group within another object group of the same type, first create the group that you want
to nest (see the

“Configuring Object Groups” section on page 13-6

), and then perform the steps in this

section.

Detailed Steps

Examples

Create network object groups for privileged users from various departments by entering the following
commands:

hostname (config)# object-group network eng

hostname (config-network)# network-object host 10.1.1.5

hostname (config-network)# network-object host 10.1.1.9

hostname (config-network)# network-object host 10.1.1.89

hostname (config)# object-group network hr

hostname (config-network)# network-object host 10.1.2.8

hostname (config-network)# network-object host 10.1.2.12

hostname (config)# object-group network finance

hostname (config-network)# network-object host 10.1.4.89

hostname (config-network)# network-object host 10.1.4.100

You then nest all three groups together as follows:

hostname (config)# object-group network admin

hostname (config-network)# group-object eng

hostname (config-network)# group-object hr

hostname (config-network)# group-object finance

Command

Purpose

Step 1

object-group group

{{protocol | network |

icmp-type

} grp_id |service grp_id {tcp |

udp

| tcp-udp}}

Example:

hostname(config)# object-group network

Engineering_group

Adds or edits the specified object group type under which you
want to nest another object group.

The service_grp_id is a text string up to 64 characters in length
and can be any combination of letters, digits, and the following
characters:

•

underscore “_”

•

dash “-”

•

period “.”

Step 2

group-object

group_id

Example:

hostname(config-network)# group-object

Engineering_groups

Adds the specified group under the object group you specified in
Step 1. The nested group must be of the same type. You can mix
and match nested group objects and regular objects within an
object group.