Once object groups have been put in place, it is important for
network administrators to be able to monitor and modify them as necessary. This
section will look at the following three commands that are used for these
purposes:
show object-group
no object-group
clear object-group
Viewing Object Groups The show
object-group command gives a network administrator the ability to
easily review object groups that are currently configured on a PIX Security
Appliance
. This enables
the administrator to view the object groups based on several criteria. The PIX
displays defined object groups by their grp_id when the
show object-group id grp_id command is entered. The
PIX also displays defined object groups by group type when the show
object-group command is entered with the
protocol, service,
icmp-type, or network option. When the
show object-group is entered without a parameter, all
defined object groups are shown.
Removing Object Groups Two
commands that are used to maintain object groups on a PIX Security Appliance
are the no object-group and clear
object-group commands
. The
no object-group command removes a single object group from
the configuration, whereas the clear object-group command
is used to erase all object groups from the PIX.
Lab
Exercise: Configure Object Groups and Nested Object Groups using CLI
In
this lab, students will learn to configure a service, ICMP-Type, and nested
server object group. Students will also learn to configure an inbound access
control list (ACL) with object groups. Students will then configure web and
ICMP access to the inside host. Finally, students will test and verify the
inbound ACL.