20-2
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter20 Configuring Objects
Configuring Network Objects and Groups
Network Object Overview
A network object can contain a host, a network IP address, or a range of IP addresses, and it can also
enable NAT rules. (See Chapter33, “Configuring Network Object NAT (ASA 8.3 and Later),” for more
information.)
Network objects let you predefine host and network IP addresses so that you can streamline subsequent
configurations. For example, when you configure a security policy, such as an access rule or a AAA rule,
you can choose these predefined addresses instead of typing them in manually. Moreover, if you change
the definition of an object, the change is inherited automatically by any rules that use the altered object.
You can add network objects manually, or you can let ASDM automatically create objects from existing
configurations, such as access rules and AAA rules. If you edit one of these derived objects, it persists
even if you later delete the rule that used it. Otherwise, derived objects only reflect the current
configuration if you refresh.
A network object group is a group that contains multiple hosts and networks together, so a network
object group can also contain other network object groups. You can also specify a network object group
as the source address or destination address in an access rule.
When you are configuring rules, the ASDM window includes an Addresses side pane that shows
available network objects and network object groups; you can add, edit, or delete objects directly in the
Addresses pane. You can also drag additional network objects and groups from the Addresses pane to
the source or destination of a selected access rule.
Also, you can create a named object within a network object group, which provides the ability to modify
an object in one place and have it be reflected in all other places that are referencing it. Otherwise,
modifying an object requires a manual process of changing all IP address and mask pairs in the
configuration. In addition, you can attach a named object to (or detach it from) one or more object groups
to ensure that objects are not duplicated but are used efficiently. The object can then be re-used and
cannot be deleted if other modules are still referencing it.
Configuring a Network Object
For information about network objects, see the “Network Object Overview” section on page20-2.
To add or edit a network object, perform the following steps:
Step1 Choose Configuration > Firewall > Objects > Network Objects/Group.
Step2 Click Add, and choose Network Object to add a new object, or choose an existing object to edit, and
click Edit.
You can also add or edit network objects from the Addresses side pane in a rules window or when you
are adding a rule.
To find an object in the list, enter a name or IP address in the Filter field, and click Filter. The wildcard
characters asterisk (*) and question mark (?) are allowed.
The Add/Edit Network Object dialog box appears.
Step3 Fill in the following values:
Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an
underscore. The name must contain 64 characters or fewer.
Type—Either Network, Host, or Range.