CCIE Security Blog

ASA supports the following object group types:

Network           = matching on IPv4/IPv6 hosts or subnets.
Protocol            = matching on layer3/layer4 IP protocols.
ICMP-Type      = matching on ICMP Types.
Service              = matching on TCP/UDP ports. A service object group supports multiple sub-types: TCP, UDP, TCP-UDP, Generic (matching on a mixture of source or destination TCP/UDP ports).

ASA02-5510(config)# sh object-group

object-group network R2
network-object host 150.1.22.22
network-object 136.1.29.0 255.255.255.0

object-group network SUBNETS
network-object 172.16.10.0 255.255.255.0
network-object 136.1.19.0 255.255.255.0

object-group network R1-LOOPBACK1
network-object 150.1.11.0 255.255.255.0

object-group service TELNET tcp
port-object eq telnet

object-group service TFTP udp
port-object eq tftp

object-group service OTHER-PORTS
service-object tcp destination eq ftp
service-object udp destination eq ntp

object-group network ALL
group-object SUBNETS
group-object R1-LOOPBACK1

ASA02-5510# sh run access-list
access-list VLAN29 extended permit tcp object-group R2 object-group ALL object-group TELNET
access-list VLAN29 extended permit udp object-group R2 object-group ALL object-group TFTP
access-list VLAN29 extended permit object-group OTHER-PORTS object-group R2 object-group ALL

access-group VLAN29_INBOUND in interface VLAN29

object-group
icmp-type            Specifies a group of ICMP types, such as echo
network               Specifies a group of host or subnet IP addresses
protocol               Specifies a group of protocols, such as TCP, etc
service                 Specifies a group of TCP/UDP ports/services
user                      Specifies single user, local or import user group

network-object-group
description        Specify description text
group-object     Configure an object group as an object
help                     Help for network object-group configuration commands
network-object  Configure a network object
no                        Remove an object or description from object-group

network-object-group mode commands/options:
Hostname or A.B.C.D                   Enter an IPv4 network address
X:X:X:X::X/<0-128>                    Enter an IPv6 prefix
host                                                Enter this keyword to specify a single host object
object                                             Enter this keyword to specify a network object

object-group service TELNET
tcp                   Specifies this object-group is for TCP protocol only
tcp-udp          Specifies this object-group is for both TCP & UDP
udp                 Specifies this object-group is for UDP protocol only

service-object-group
description             Specify description text
group-object          Configure an object group as an object
help                          Help for service object-group configuration commands
no                              Remove an object or description from object-group
port-object              Configure a port object
object-group service OTHER-PORTS
description            Specify description text
group-object         Configure an object group as an object
help                         Help for service object-group configuration commands
no                            Remove an object or description from object-group
service-object       Configure a service object

service-object tcp
dual-service-object-group mode commands/options:
destination             Keyword to specify destination
source                     Keyword to specify source

ASA02-5510(config-service-object-group)# service-object tcp eq 21
ASA02-5510(config-service-object-group)# service-object udp eq 123