Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with PDM-behaviour

I have a very special problem with PDM 2.1(1).

Until now I only used the CLI to configure PIX.

If I start PDM it wants to add object-groups that already exist.

I think he needs them to manage Access Rules.

But this means for me that I have redundant object-groups and

there is a difference between PDM-managed o-g and the o-g used in the ACLs.

Here is an example...

My manually defined object-groups and statics


object-group network ObjGrp



static (inside,outside)

static (inside,outside)

object-group network ObjGrp_ref



PDM wants to add the following


object-group network ObjGrp1



pdm group ObjGrp1 inside

pdm group ObjGrp_ref outside reference ObjGrp1

This happens not to all o-g (I have 12 for inside hosts and 13 for outside hosts).

For some pdm groups he uses the manually defined names.

I already found out that PDM defines new o-g if there is any difference

between "original" and reference (description or the order of the network hosts).

If I edit an Access Rule within PDM he wants to reorganize all my ACLs on the PIX

so there are used PDMs o-g.

My next try was to define pdm groups and references manually before starting PDM.

The result is, that PDM deletes all "pdm group ... outside reference ..." but

creates no new references.

So he can't process the Access Rules properly and displays "(Null Rule)"

for nearly all Rules.

This means for me that I only can use PDM if I never had any configuration on my PIX !?

I don't want PDM to tell me how I have to name my object-groups !

Is it a bug ? A feature ? Does anyone know a hint ?



Re: Problems with PDM-behaviour

A master group is the group you created from the PDM GUI interface. It contains a list of hosts or networks of your choice. A reference group contains the NAT-ed IP addresses of those hosts or networks on a particular interface. We need it because some PIX CLI commands requires the usage of NATed address.

A 'pdm group' command without the 'reference' keyword allows PDM to associate a master network object-group to an interface. A 'pdm group' command with the 'reference' keyword allows PDM to associate a master network object-group which contains network objects to its corresponding reference network object-group which contains translated IP addresses.

CreatePlease login to create content