network Object Type
The network object type is used to group hosts and subnets. Server and client hosts can be
grouped by functions. For example, mail servers, web servers, or a group of client hosts that
have special privileges on the network can be grouped accordingly.
Example 7-5 shows a web servers object group.
Configuring an Object Group
pixfirewall(config)#object-group network web-servers
pixfirewall(config-network)#description Public web servers
pixfirewall(config-network)#network-object host 192.168.1.12
pixfirewall(config-network)#network-object host 192.168.1.14
pixfirewall(config-network)# exit
pixfirewall(config)#access-list 102 permit tcp any object-group web-servers eq www
pixfirewall(config)#access-group 102 in interface outside
Notice that when you enter the object-group command, the system enters the appropriate
subcommand mode for the type of object you are configuring. In this case, you see the confignetwork
subcommand prompt. The network-object host subcommand adds the host to the
network object group. The description is optional, but it is helpful to include it.
NOTE It is also possible to use a name instead of an IP address when defining the
network host. For example:
pixfw(config)# object-group network mis-ftp-servers
pixfw(config-network)#network-object host 10.10.100.154
pixfw(config-network)#network-object host 10.10.100.155
pixfw(config-network)#network-object host 10.10.100.156
pixfw(config-network)#exit
To display the configured object group, use the show object-group command, as shown in
Example 7-6.
Displaying Configured Object Groups
pix(config)# show object-group
object-group network web-servers
description: Public web servers
network-object host 192.168.1.12
network-object host 192.168.1.14