Hi,

Think your reset might have removed the following command

"boot system flash:"

Which means there is no certain software image to boot from after reload.

And this has in turn booted the ASA with older version software on the ASA and not the latest 8.3 or 8.4 software you were running.

Use the command "show version" to check which software it has booted with.

To choose the software you want the ASA to boot with always, use the command

boot system flash:/

For ASDM image use the following

asdm image flash:/

The ASDM command might give you some version warning but ignore it. Its just because your running software might not match the ASDM version.

- Jouni

Hi Jouni,

From Cisco ASA 5500 Series Command Reference, 8.4, 8.5, and 8.6 :

hostname(config)# object-group network sjj_eng_ftp_servers

hostname(config-network-object-group)# network-object host sjj.eng.ftp

hostname(config-network-object-group)# network-object host 172.16.56.195 

hostname(config-network-object-group)# network-object 192.168.1.0 255.255.255.224 

hostname(config-network-object-group)# group-object sjc_eng_ftp_servers

hostname(config-network-object-group)# quit

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/no.html#wp1814597

Can you tell us the details regarding the difference cli commands ?

Dan

Hi,

I just imagine that he was using the CLI like normal in 8.3 and 8.4 version and would enter the command

object network

But as the booted software might be 8.2 or below the ASA would understand the above command the same as he was writing

object-group network

This as there is no other command starting with "object" in 8.2 and pre software versions. So the ASA would presume this was the command intended.

- Jouni

Regarding to the network objects I do not see any differences from 7.0 -> 8.0 -> 8.4

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1749092

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1584782

Dan

Hi,

Seems we are talking about 2 totally different things

After 8.3 software there has been 2 different type of "object" that contain IP addresses

The one that has excisted always (?) is the "object-group network

The one that was added in 8.3 is "object network

The configuration references you have linked there refer to the objects inside a "object-group network

Example of both objects

object-group network LAN

network-object 10.10.10.0 255.255.255.0

object network LAN

subnet 10.10.10.0 255.255.255.0

And referring to the orignal problem with the poster.

He said he had just returned the ASA to factory default configuration. This would probably mean that any configuration reference to the software image used to boot the ASA was also removed. Now if this is true and he has several old software images on the ASAs flash memory, the ASA might boot with old software.

Now when hes running an ASA that has booted with old 8.2 and pre software, when he issues the command "object network

And this is why his "subnet" parameter isnt accepted on the CLI.

Because hes under the "object-group network" configuration mode and not under the "object network" configuration mode (As it doesnt exist in that software).

- Jouni

Yes, you are right. I found in the command reference the "object network" command.

object network object name [rename new_obj_name] {host ip_addr | subnet net_addr net_mask | range ip_addr_1 ip_addr2} description text

Do be sincer, I did not know about this change between the versions.

I do not understand this kind of changes , as I do not understand the reason for changing NAT syntax .

Dan

Hi,

I guess the "object network" is mainly there for the changes in NAT and access-lists.

Though that doesnt stop you from using either "object network" or "object-group network" in your NAT and ACL configurations.

Certain NAT configurations naturally require the use of "object network" instead of "object-group network"

- Jouni