Reg. ASDM Object grouping

Answered Question
May 28th, 2010
User Badges:

In the ASDM


Objects -> Network objects/Groups


When we click on Add Network Object then consider the name which we specify is TEST1 and IP Address Range is 10.10.0.0 255.255.255.0 and we create one more Network Object and then we specify name as TEST2 and IP Address Range is 10.10.0.0 255.255.255.192 .Once we apply , then the previous network object TEST1] is replaced with the newer name [TEST2] .That means now there are 2 Network Objects entries with the same name in ASDM as shown below


TEST2 10.10.0.0 255.255.255.0
TEST2 10.10.0.0 255.255.255.192


This is equivalent to name command in CLI and doing a "sh name" will give single TEST2 with no subnet information over there


Hence please let me know if this is normal or is it a bug . I have found this in 6.3.1 , is this same in other versions as well ? Also is there any workaround to have 2 different names for similar IP Range with different mask with the above [other than the solution of creating object-group and assigning network-object to it , which i know will obviously work]

Correct Answer by Jennifer Halim about 6 years 12 months ago

Hi Ankur,


I have tested it in the lab, and realise that the ASDM network object should not have a netmask field because the "name" command does not have subnet field. That is why your test is getting overriden with the later name that you configured (TEST2).


The "name" command only have the following fields:

name ip_address name [description text]]


Here is the command reference for "name" command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1747000


You can open a TAC case so ASDM bug can be raised.


Hope that helps to clarify your concern.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 05/28/2010 - 05:35
User Badges:
  • Cisco Employee,

Definitely sounds like a bug.

Which version of ASA are you running? If you are running version 8.2.x or lower, I would recommend that you downgrade your ASDM to version 6.2.5.

ankurs2008 Fri, 05/28/2010 - 05:51
User Badges:

I am running 8.2.1 (18) code with ASDM 6.2 (1) , found this issue in this as well as one firewall having ASA 8.2.2 with ASDM 6.3.1 .Please let me know regarding the same

Jennifer Halim Fri, 05/28/2010 - 05:56
User Badges:
  • Cisco Employee,

ASDM 6.3.1 is new and also to support ASA 8.3.1. Eventhough it is backward compatible, there seems to be a number of bugs with earlier version of ASA.


I would recommend that you downgrade the ASDM back to 6.2.5 since you are not running ASA 8.3.1.

ankurs2008 Sun, 05/30/2010 - 16:40
User Badges:

hi halijenn,


thanks for the reply ; however 8.2.1 (18) code with ASDM 6.2 (1) is also running and showing the same thing . Also i believe from the compatibilty matrix we can use ASDM 6.3.1 (which is recommended) with any of the 8.2 Versions .Can you please try this in lab or test with demo ASDM . Meanwhile i am also trying to figure out at my end . thanks a lot !

Correct Answer
Jennifer Halim Mon, 05/31/2010 - 03:31
User Badges:
  • Cisco Employee,

Hi Ankur,


I have tested it in the lab, and realise that the ASDM network object should not have a netmask field because the "name" command does not have subnet field. That is why your test is getting overriden with the later name that you configured (TEST2).


The "name" command only have the following fields:

name ip_address name [description text]]


Here is the command reference for "name" command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1747000


You can open a TAC case so ASDM bug can be raised.


Hope that helps to clarify your concern.

ankurs2008 Mon, 05/31/2010 - 17:45
User Badges:

Hi halijenn


I have tried with 6.2.5 ASDM code as well and the same results . Also there is subnet mask associated with the network-object while creating via ASDM and the same can be pulled into an access-list (via ASDM Browse option) to use any of those 2 names ; hence in this case even though 2 network-object having same name we can still pull our desired network-object into it . However via command line , in the "sh names" it will only show 1 name (though actually we have made 2 ) and when we will apply it in access-list (via CLI) we can utilize that name however we have to give subnet mask in ACL at that point of time .Hence , conclusion is : subnet mask of network-object useful in ASDM ; however not in the CLI .As this is almost on all ASDM i dont think it is a bug as otherwise ,it wud by now have been known by everybody .

ankurs2008 Tue, 06/01/2010 - 17:41
User Badges:

Hi halijenn


Please reply to my below query , thanks .

Jennifer Halim Wed, 06/02/2010 - 01:46
User Badges:
  • Cisco Employee,

Hi Ankur,


There are 2 options when configuring object group via ASDM (the name is not very intuitive and does not match with CLI):

1) The name command on CLI --> Network Object

2) The object-group command on CLI --> Network Object Group


With the first one, as advised earlier, the name command on CLI does not have the subnet mask entry included. You can actually check that by creating a "Network Object" with the mask on ASDM, and when you click Apply, it will come up with a pop up box on what command is actually sent to the ASA, and it will not include the mask.


Example (Attached):

ASDM configuration for Network Object: ASDM-NetworkObject-name.JPG

CLI that is being sent to the ASA when clicking on the Apply button: CLI-sent-to-ASA.JPG


As you can see that on ASDM (Network Object) corresponds to the CLI (name command), and it does not include the subnet mask in the actual "name" command. On ASDM, it is more for your information on what subnet mask the object is, however, you can't really configure the same name with the same IP Subnet and differentiate between the 2 with subnet mask.

Actions

This Discussion