Experimenting a few minutes ago, I found a couple of PIX 6.3(3)
and 6.3(4) 'name' enhancements that aren't documented. These might
have come into effect earlier still; I haven't checked.
Before, a value defined in a 'name' could only be used in the host
or network position of a location where an ip and mask pair was expected,
such as in
access-list FOO permit udp host MyServer MyISP 255.255.255.200 eq dns
object-group network BAR
network-object host MyOtherServer
In particular, using a name in the netmask area was not allowed:
name 255.255.255.0 ClassC
access-list FOO permit udp host MyServer MyISP ClassC eq dns
In 6.3(3) and 6.3(4) it is now valid to enter a name instead of a
netmask. This is not what the online help indicates, but it works.
When you display the access-list, the name will NOT be displayed in
the mask areas.
If, though, you use this in an object-group network, and you display
the object, then the name WILL be substituted:
npix(config-network)# show object-group id FOO
object-group network FOO
network-object 208.215.64.0 Bad64
But if this object is embedded into an ACL, then when you display the
ACL and the PIX expands out the object-group, then in the display
of the ACL, the mask names will NOT be shown -- only when you display
the objects as objects.
Interestingly, names of masks -will- be substituted when showing
'route' statements.
======
I also found that PIX 6.x accepts netmasks that are not CIDR. Before
I was under the impression that the masks had to have consequative
bits set. Somehow I suspect that some features (e.g., IPSec) don't
take kindly to non-consequative bits set in the mask...
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald Knuth
|
Similar Threads
