Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with PDM-behaviour

I have a very special problem with PDM 2.1(1).

Until now I only used the CLI to configure PIX.

If I start PDM it wants to add object-groups that already exist.

I think he needs them to manage Access Rules.

But this means for me that I have redundant object-groups and

there is a difference between PDM-managed o-g and the o-g used in the ACLs.

Here is an example...

My manually defined object-groups and statics

---------------------------------------------

object-group network ObjGrp

network-object 10.10.10.10 255.255.255.255

network-object 10.10.10.20 255.255.255.255

static (inside,outside) 10.10.10.10 10.20.10.10 255.255.255.255

static (inside,outside) 10.10.10.20 10.20.10.20 255.255.255.255

object-group network ObjGrp_ref

network-object 10.20.10.10 255.255.255.255

network-object 10.20.10.20 255.255.255.255

PDM wants to add the following

------------------------------

object-group network ObjGrp1

network-object 10.10.10.10 255.255.255.255

network-object 10.10.10.20 255.255.255.255

pdm group ObjGrp1 inside

pdm group ObjGrp_ref outside reference ObjGrp1

This happens not to all o-g (I have 12 for inside hosts and 13 for outside hosts).

For some pdm groups he uses the manually defined names.

I already found out that PDM defines new o-g if there is any difference

between "original" and reference (description or the order of the network hosts).

If I edit an Access Rule within PDM he wants to reorganize all my ACLs on the PIX

so there are used PDMs o-g.

My next try was to define pdm groups and references manually before starting PDM.

The result is, that PDM deletes all "pdm group ... outside reference ..." but

creates no new references.

So he can't process the Access Rules properly and displays "(Null Rule)"

for nearly all Rules.

This means for me that I only can use PDM if I never had any configuration on my PIX !?

I don't want PDM to tell me how I have to name my object-groups !

Is it a bug ? A feature ? Does anyone know a hint ?

Stephan

1 REPLY
Bronze

Re: Problems with PDM-behaviour

A master group is the group you created from the PDM GUI interface. It contains a list of hosts or networks of your choice. A reference group contains the NAT-ed IP addresses of those hosts or networks on a particular interface. We need it because some PIX CLI commands requires the usage of NATed address.

A 'pdm group' command without the 'reference' keyword allows PDM to associate a master network object-group to an interface. A 'pdm group' command with the 'reference' keyword allows PDM to associate a master network object-group which contains network objects to its corresponding reference network object-group which contains translated IP addresses.

125
Views
0
Helpful
1
Replies
CreatePlease login to create content