ASDM multiple network objects vs group for rules

I was just curious if there are any performance benefits of using multiple network objects on multiple rules vs consolidating them into fewer rules by grouping them? 
For example, I have about 10 lines of NAT exempt rules from the same source to multiple destinations.  Is there anything to be gained if I consolidated those into a single rule using an object group for the multiple destinations aside from cleaning up the clutter in ASDM?
Thanks

Hello Tony,
Of course, it will be better because the processing that the ASA is going to use to determine witch rule to match would be decremented, also it would take less space on the configuration file (memory). those are some of the pros regarding creating groups for particular rules.
Sometimes a huge configuration file can increment the CPU usage,etc,etc. so it is better to keep it as small and organized as possible.
Please rate helpful posts.
Regards,
Julio

Similar Messages

  • Multiple Network Object pointing to same IP address

    I have what i hope is not a unique problem.  I have two ISP's and I want to be able to use failover between the two ISP's.  The problem I cannot seem to overcome is that I want to be able to have outside email come in and connect to the same server.  If I put in the config below into my ASA, it returns an error that I cannot have two network objects pointing to the same IP.
    Is there a way around this?
    I'm running v9.1 for my ASA.
    object network mail-server
    host 192.168.1.10
    object network mail-server2
    host 192.168.1.10

    This might be a problem with the code, you can do that with previous codes.
    You can use the same object multiple times and it will work just as if you had two of them.
    The following would be a workaround for that issue, but it has to be a problem with the code
    object network mail-server
    host 192.168.1.10
    Object service MAIL
    service tcp destination eq 25
    nat (inside,outside) source static mail-server service MAIL MAIL
    nat (inside,outside1) source static mail-server service MAIL MAIL

  • ASA 5520: Create Network Object for range of hosts?

    Hi,
    I'm new to Cisco Firewalling. I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
    We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
    Is there a way to do a similar thing on the ASA 5520?
    I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
    Any help greatly appreciated.

    Sure there is,
    hostname(config)# object network TEST2
    hostname(config-network-object)# range  10.1.2.1 10.1.2.70
    No need for subnet masks, this will be a Object network, not an Object-group of type network. Now in 8.3 they are a lot different.
    http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
    Check this doc for reference.
    Cheers,
    Mike

  • Migrate network object group members; risk

           We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

    John,
    if you feel that is risky, you can always go for plan B.
    - you can take closure look at the object groups and decide new object naming convention policy.
    - from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
    - you can see same services used in couple of rules with different service groups.
         - like object-group service WEB-PORTS tcp
                        port-object eq http
                        port-object eq https
                 object-group service APPLICATION-PORTS tcp
                        port-object eq http
                        port-object eq https
                   object-group service APPS-PORT tcp
                        port-object eq www
                        port-object eq https
    - you can replace all these different object-group with one object group. like WEB-PORTS.
    - same way you can do excercise for network group as well.
    hope this helps.
    JD...

  • Object-group with network-object containing an IP address range

    Hello,
    Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
    object-group network test
    network-object 192.168.0.0 192.168.63.255
    network-object-group mode commands/options:
      A.B.C.D  Enter an IPv4 network mask
    sh run ob id test
    object-group network test
    network-object 192.168.0.0 192.168.63.255
    I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly. Thank you.
    -John

    Hello,
    Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:
    192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.
    With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".
    To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.
    Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:
    access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
      access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4
    access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
    Packet trace results in allowing the "range" of IP address:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: dmztest
    output-status: up
    output-line-status: up
    Action: allow
    Now with the "correct" configuration:
    access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
      access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd
    access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: dmztest
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Thank you.
    -John

  • Easy way to detect unused network objects/groups on ASA

    Hello,
    I find that every 6-12 months I will log on to the ASDM and go to the Network Objects/Groups section and spend ages right clicking on each object and seeing if it is still being used and if it isn't I then delete it.  It can take a long time as our config is large, are there any better ways of keeping the ASA update to date?
    Thanks

    Hello,
    I know that this is a very old post, however, starting in ASDM 7.1(3), there is a "Not Used" button in the app.  Click it and it will provide you list of objects/groups that are not being used in ACLs.  You can then choose which objects to delete (they're all checked by default).
    As of 7.1(4), however, there is no such feature for protocols/protocol groups.
    Hopefully this helps someone - I know that it saved me a lot of time in a few firewall migration projects!
    Rob.

  • Running one rmiregistry for multiple remote object servers

    Hi,
    I don't find any clear answer for this situation. I want that multiple objet servers (running in separated JVMs) share one rmiregistry placed on a dedicated server. Servers stays in a same network (no firewall at all). If this feature is covered, could you give me any example or link that describe the source code ?
    Thanks very well for yours answers.
    Manuel

    Thanks again for your help, and sorry for my weak usage of english language.
    I've tried to bind some remote objects from distinct 'physical' hosts (or computers) to a dedicated registry located on another host.
    To resume: I want to use one unique registry for multiple remote objects hosts.
    EJP you have posted : But they must all be running on the same host as the Registry.
    After reading again the official rmi tutorial, I found :
    For security reasons, an application can only bind, unbind, or rebind remote object references with a registry running on the same host. This restriction prevents a remote client from removing or overwriting any of the entries in a server's registry. A lookup, however, can be requested from any host, local or remote.
    This confirm that I wanted to do was not possible.
    To override this limitation, do you think it's possible to write a remote object located on the registry host, that propose a method used from other hosts to register their remote objects ? Something like that:
    // Interface
    public interface recordFromHost extends Remote {
        int recordObject(String name, Remote obj) throws RemoteException;
    // Implementation of interface
    public class recordFromHostImpl extends UnicastRemoteObject implements recordFromHost {
        public recordFromHostImpl () throws RemoteException {
            super();
        public int recordObject(String name, Remote obj) {
           int ret=0;
            try {
                Registry registry = LocateRegistry.getRegistry();
                registry.bind(name, obj);
            } catch (Exception e) {
                System.err.println("recordObject exception:");
                e.printStackTrace();
                ret = -1;
        return ret;
    // Server code on registry host
    public class Serveur {
    public static void main(String args[]) {
            // Security manager
            if (System.getSecurityManager() == null) {
                System.setSecurityManager(new SecurityManager());
            // Start of registry
            try{
                LocateRegistry.createRegistry(1099);
            }catch(RemoteException e){
                System.exit(1);
            try {
                String name = "recordFromHost";
                recordFromHost myObj = new recordFromHostImpl ();
                Registry registry = LocateRegistry.getRegistry();
                registry.bind(name, myObj);
            } catch (Exception e) {
                System.err.println("bind exception:");
                e.printStackTrace();
    // Code used from a server host to register his remote object in the distant registry
    Registry registry = LocateRegistry.getRegistry(registry host adress);
    recordFromHost  myRecord  = (recordFromHost) registry.lookup("recordFromHost");
    Create local remote object to register (remoteObject : interface, remoteObjectImpl : implementation)
    remoteObject myRemoteObject = new remoteObjectImpl();
    // register myRemoteObject
    myRecord.recordObject("myRemoteObject", myRemoteObject );
    ...Finally, a client who want to use myRemoteObject ask the registry for this object, and use it without limitation : the remote object host will not be the registry host.
    I hope that you understand what I mean :-)
    Manuel

  • Adding responsibility objects for the Notification Groups for a PA

    Hi Gurus,
    I am supposed to add responsibility objects for the notiifcation groups for a PA.. Could you please confirm the steps I am planning to follow
    1. Find out the Workflow
    2. Add the responsibilities objects ( Where can Add  those ( in the workflow or in Org Management?)
    3. Edit the rule to point to that PA..
    I am new to workflows ..points are assured for the help

    Just write your own composite Icon class:
    public class CompositeIcon implements Icon
      private Icon icon1;
      private Icon icon2;
      public CompositeIcon(Icon icon1, Icon icon2)
        this.icon1 = icon1;
        this.icon2 = icon2;
      public int getIconHeight()
        return Math.max(icon1.getIconHeight(), icon2.getIconHeight());
      public int getIconWidth()
        return icon1.getIconWidth() + icon2.getIconWidth();
      public void paintIcon(Component c, Graphics g, int x, int y)
        icon1.paintIcon(c, g, x, y);
        icon2.paintIcon(c, g, x + icon1.getIconWidth, y);
    }Hopefully a slightly more reusable solution. You could write all sorts of different layouts in this way.
    Hope this helps.

  • Querying for a script insert multiple selected objects...

    Is there a script or plugin which insert multiple selected objects in one new text frame with one click?
    And is there a script or plugin which extract the content of anchored text frame out it's frame and replace it with it's frame. and extract selected text and insert it inside a new anchored text frame in it's place? (like convert text to table - convert table to text, but instead table we use text frame)

    Hi,
    Using OMB scripting to set attribute properties in a data mapping sort of defeats the purpose of utilizing a graphical user interface to define and set properties for a data mapping? Surely the GUI data mapping tool was created to get away from writing scripts and scripting would also require that you know the name of the data mapping, table operator and the set of attribute names for which you have to write one line of script to set each property value, i.e. 90 lines to set 90 attribute values.
    Cheers,
    Phil

  • Best practice for linking fields from multiple entity objects

    I am currently transitioning from PHP to ADF. I'm looking for the best practice for linking data from multiple entity objects.
    Example:
    EO 'REQUESTS' has fields: req_id, name, dt, his_stat_id, her_stat_id
    EO 'STATUSES' has fields: stat_id, short_txt_descr
    'REQUESTS' is linked to EO 'STATUSES' on: STATUSES.stat_id = REQUESTS.his_status_id
    'REQUESTS' is also linked to EO 'STATUSES' on: STATUSES.stat_id = REQUESTS.her_status_id
    REQUESTS.his_status_id is independent of REQUESTS.her_status_id
    When I create a VO for REQUESTS, I want to display: REQUESTS.name, REQUESTS.dt, STATUSES.short_txt_descr (for his_stat_id), STATUS.short_txt_descr (for her_stat_id)
    What is the best practice for accomplishing this? It appears I could do it a few different ways:
    1. Create the REQUESTS VO with a LOV for his_stat_id and her_stat_id
    2. Create the REQUESTS VO with the join to STATUSES performed within the query for the VO. This would require joining on the STATUSES EO twice (his_stat_id, her_stat_id)
    3. I just started reading about View Links - would that somehow do what I'm looking for?
    I also need to be able to update his_status_id and her_status_id through the by selecting a STATUSES.short_txt_descr from a dropdown.
    Any suggestions on how to approach such a stupidly simple task?
    Using jDeveloper 11.1.2.2.0 if that makes a difference in the solution.
    Thanks ahead of time,
    CJ

    CJ,
    I vote for solution 1 as it's just your use case. As you said you what to update the his_status_id and her_status_id through the by selecting a STATUSES.short_txt_descr by a drop down. This is exactly the LOV solution.
    ViewLinks are used fro master detail navigation (which you don't do here) and Joining the data make it difficult to update (and you still need a LOV for the drop down box.
    Timo

  • E-mail group for multiple contacts

    I want to creat an e-mail group for multiple contacts so I only need to select the group and then send an e-mail to all the contacts in that group. How do i creat a distribution group in icloud from my Outlook Address book?

    Hi,
    Yes, when logon to ePrint Center, at the top frame, left hand side, there is a place you can +Add Printer. Click to this and follow the instructions.
    Regards.
    BH
    **Click the KUDOS thumb up on the left to say 'Thanks'**
    Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

  • How do I make groups for texting multiple people at a time and retain that group for future use?

    How do I make goups, in Contacts, for texting multiple people at a time and retain that group for future use?

    How do I make goups, in Contacts, for texting multiple people at a time and retain that group for future use?

  • Global BusObj Network - new SIG (interest group) for DI/DS, MM, etc.

    The Global BusinessObjects Network is pleased to announce a new Special Interest Group for Data Management, which includes the DI/DS products. We'll be offering a variety of newsletters, webcasts and conference calls, and content at the annual conference.   For example, we have an upcoming webcast on New Features in DS 3.x, being presented in April.
    For general information about GBN SIGs, please see:
    http://www.gogbn.org/irj/portal/special_interest_groups
    I'd encourage you to create an account on the GBN site, go to the GBN Data Management SIG page, and click on the "Join SIG" now to get started. 
    Also, we're conducting a survey for see what content is of interest, and to understand your product usage. Please fill out the survey at:
    http://ws.asug.com/ss/wsb.dll/5/GBNDMSIGSurvey.htm
    And lastly, we just published our (first) newsletter, which you can read here:
    http://www.gogbn.org/irj/servlet/prt/portal/prtroot/docs/guid/d0908395-aafa-2b10-8e9b-a906e9741e29

    The Global BusinessObjects Network is pleased to announce a new Special Interest Group for Data Management, which includes the DI/DS products. We'll be offering a variety of newsletters, webcasts and conference calls, and content at the annual conference.   For example, we have an upcoming webcast on New Features in DS 3.x, being presented in April.
    For general information about GBN SIGs, please see:
    http://www.gogbn.org/irj/portal/special_interest_groups
    I'd encourage you to create an account on the GBN site, go to the GBN Data Management SIG page, and click on the "Join SIG" now to get started. 
    Also, we're conducting a survey for see what content is of interest, and to understand your product usage. Please fill out the survey at:
    http://ws.asug.com/ss/wsb.dll/5/GBNDMSIGSurvey.htm
    And lastly, we just published our (first) newsletter, which you can read here:
    http://www.gogbn.org/irj/servlet/prt/portal/prtroot/docs/guid/d0908395-aafa-2b10-8e9b-a906e9741e29

  • How to make a group for selectd Object javascript

    How to make a group for selectd Object javascript

    There is currently no native way to email groups from iPad.
    The only way to do this is if your recipients are already members a a distribution group controlled elsewhere such as a Google Group or an  Exchange Organisation, then you can email the distribution group address which will then in turn forward to the individual email address of the members.
    Does it have to be email as currently you would have to add each recipient to the email manually.
    iOS to my knowledge doesn't support contact groups in context other than organisation.

  • ISE: create rules with AD groups for Users and Computers

    Hello,
    We've just begun to work with ISE.
    Is it the good place to post on ISE, or there is a dedicated forum in another place?
    We'd like to create some rule depending of Computer member groups AND Users member groups from AD, but we meet some difficulties.
    We've created AD groups for Computers and Users depending of their Department:
    Users_1
    Users_2
    Computers_1
    Computers_2
    When we create some basics rules regarding one group only:
    - with a group Computers_x to attribute a specific VLAN to a computer (when no Windows session is opened), it runs correctly.
    - with a group Users_x to attribute a specific VLAN to an user (when Windows session is opened), it runs correctly.
    But when we create a rule regarding a group from Computers and one from Users, to attribute a specific VLAN to an user on a specific computer, this rule is not applied.
    Is it possible to use ISE on this way?
    Thanks for help.
    Regards,
    Chris

    Enable EAP Chaining— if  you want Cisco ISE to allow authentication of both machine and user in the same  EAP-FAST authentication.
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

Maybe you are looking for

  • IPod playlists do not display new songs added alphabetically

    I find that if I add new songs to my iTunes and then add them to an existing playlist in my iPod, the new songs are displayed alphabetically by artist in iTunes (the way I prefer it), but when I disconnect the iPod and explore the playlist on the iPo

  • Need information on  vendor replication t-code BBP_UPDATE_PORG

    Hi  ,   I need to know why we are  using the t-code  " BBP_UPDATE_PORG " for  the vendor replication. if execute the t-code by giving the Purchase org  of local(SRM)  =  "New purch.org.entry" R/3 Purchase org                  =  "Add to purch.org." t

  • Hiding of folders in the root directory in KM

    Hi, comrads! I had had problem a few days ago. I want to hide all folders in root directory. I have set 'hide in root directory" flag in all repository managers properties in Content Management Configuration. Practically all repositories became Hidde

  • How to put measures correctly into spreadsheet

    Hi expert,      I loaded data into a planning model, and I can see data in BW and BEX, but when I put 'ACCOUNT' into row, and 'TIME' into column, I can't see 'measures' in spreadsheet, eventhough I drag 'measures' into spreadsheet from EPM pane, then

  • Is it safe for my daughter to lend her old iPod to a friend?

    My daughter wants to lend her older ipod to a friend for the summer. Is this safe? What if he uses it unwisely? Will it come back to haunt my daughter?