ASA 5505 Invalid Input

Unanswered Question
Apr 16th, 2012
User Badges:

Hi


Whenever I use the following command I get an invalid input error


ciscoasa#conf t

ciscoasa (config) # crypto isakmp enable outside

ciscoasa (config) #object network net-local

ciscoasa (config-network) # subnet 192.168.101.0 255.255.255.0

                                             ^


I have reset the firewall (cisco 5505) to factory default. The marker ^ is under the subnet 


Any input from you would be greatly appreciated.


Thank you


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
varrao Tue, 04/17/2012 - 05:16
User Badges:
  • Red, 2250 points or more

Hi Jayesh,


What version are you using on the ASA??


Thanks,

Varun

Dan-Ciprian Cicioiu Tue, 04/17/2012 - 05:24
User Badges:
  • Gold, 750 points or more

Hi ,


have you tried :


object network net-local

network-object 192.168.101.0 255.255.255.0


Dan

Harish Balakrishnan Tue, 04/17/2012 - 06:03
User Badges:
  • Silver, 250 points or more

Hello Jayesh


if  you wanted to give subnet option, u need to be in "hostname(config-network-object)" prompt.<br/>

from the output you gave , i belive you need to use

'network-object' command instead of subnet since the asa version is different.


hope this helps


Harish.

Jouni Forss Tue, 04/17/2012 - 06:08
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Think your reset might have removed the following command


"boot system flash:"


Which means there is no certain software image to boot from after reload.


And this has in turn booted the ASA with older version software on the ASA and not the latest 8.3 or 8.4 software you were running.


Use the command "show version" to check which software it has booted with.


To choose the software you want the ASA to boot with always, use the command


boot system flash:/


For ASDM image use the following


asdm image flash:/


The ASDM command might give you some version warning but ignore it. Its just because your running software might not match the ASDM version.


- Jouni

Dan-Ciprian Cicioiu Tue, 04/17/2012 - 06:13
User Badges:
  • Gold, 750 points or more

Hi Jouni,


From Cisco ASA 5500 Series Command Reference, 8.4, 8.5, and 8.6 :


hostname(config)# object-group network sjj_eng_ftp_servers

hostname(config-network-object-group)# network-object host sjj.eng.ftp

hostname(config-network-object-group)# network-object host 172.16.56.195 

hostname(config-network-object-group)# network-object 192.168.1.0 255.255.255.224 

hostname(config-network-object-group)# group-object sjc_eng_ftp_servers


hostname(config-network-object-group)# quit



http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1814597


Can you tell us the details regarding the difference cli commands ?


Dan

Jouni Forss Tue, 04/17/2012 - 06:17
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I just imagine that he was using the CLI like normal in 8.3 and 8.4 version and would enter the command


object network


But as the booted software might be 8.2 or below the ASA would understand the above command the same as he was writing


object-group network


This as there is no other command starting with "object" in 8.2 and pre software versions. So the ASA would presume this was the command intended.


- Jouni

Jouni Forss Tue, 04/17/2012 - 07:17
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Seems we are talking about 2 totally different things


After 8.3 software there has been 2 different type of "object" that contain IP addresses


The one that has excisted always (?) is the "object-group network "


The one that was added in 8.3 is "object network "


The configuration references you have linked there refer to the objects inside a "object-group network "



Example of both objects


object-group network LAN

network-object 10.10.10.0 255.255.255.0


object network LAN

subnet 10.10.10.0 255.255.255.0



And referring to the orignal problem with the poster.


He said he had just returned the ASA to factory default configuration. This would probably mean that any configuration reference to the software image used to boot the ASA was also removed. Now if this is true and he has several old software images on the ASAs flash memory, the ASA might boot with old software.


Now when hes running an ASA that has booted with old 8.2 and pre software, when he issues the command "object network " the ASA will understand it as "object-group network " as the precise command "object network " doesnt exist in the 8.2 and pre software.


And this is why his "subnet" parameter isnt accepted on the CLI.



Because hes under the "object-group network" configuration mode and not under the "object network" configuration mode (As it doesnt exist in that software).


- Jouni

Dan-Ciprian Cicioiu Tue, 04/17/2012 - 07:30
User Badges:
  • Gold, 750 points or more

Yes, you are right. I found in the command reference the "object network" command.


object network object name [rename new_obj_name] {host ip_addr | subnet net_addr net_mask | range ip_addr_1 ip_addr2} description text


Do be sincer, I did not know about this change between the versions.

I do not understand this kind of changes , as I do not understand the reason for changing NAT syntax .



Dan

Jouni Forss Tue, 04/17/2012 - 07:37
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I guess the "object network" is mainly there for the changes in NAT and access-lists.


Though that doesnt stop you from using either "object network" or "object-group network" in your NAT and ACL configurations.


Certain NAT configurations naturally require the use of "object network" instead of "object-group network"


- Jouni

Actions

This Discussion