PDM woes (yet another...)

Discussion in 'Cisco' started by Marc Luethi, Feb 2, 2005.

  1. Marc Luethi

    Marc Luethi Guest

    Hi all!

    Running

    FWSM Firewall Version 2.3(1)
    FWSM Device Manager Version 4.1(1)

    We have set up a few object-groups to set up management access to WAN
    routers outside the FWSM. It's something like this:

    static (inside,outside) 172.20.249.251 <real ip> netmask
    255.255.255.255

    and the object-group we want to use in the ACLs looks like this:

    object-group network nms_servers
    network-object host 172.20.249.251
    network-object host 172.20.249.252
    network-object host 172.20.249.253
    ...

    and of course:

    access-list 123 extended permit icmp object-group <sources group>
    object-group nms_servers object-group <icmp types group>
    ...

    You get the picture, pretty basic stuff, I think.

    After having run PDM, new object-groups have appeared, such as:

    object-group network nms_servers_real1
    network-object host <real ip>
    network-object host <real ip2>
    network-object host <real ip3>
    ...
    object-group network nms_servers_real1_ref4
    network-object host 172.20.249.251
    network-object host 172.20.249.252
    network-object host 172.20.249.253
    ...


    Apart from inflating the config file, there's nothing wrong with that.

    BUT

    also access-list statements have been modified!
    they now read:

    access-list 123 extended permit icmp object-group <sources group>
    object-group nms_servers_real1_ref4 object-group <icmp types group>


    This is upsetting. What happens now if I'd like to modify the original
    object-group? will i have to re-run PDM to have it rewrite access-list
    123 to reflect the changes I have made to the groups? Or do it all
    exclusively via PDM from now on? *ieeeek*

    Am I missing something about PDMs inner workings here? I can't stand
    seeing software modifying what a user has configured - adding a line
    or two for itself is ok, but not changing things.

    And all this just because the CSO isnt' able to read and insists on
    having a colorful clickety thing to read the ACLs. Traffic monitoring
    is quite nice, I'll admit, but what does it have to go and rewrite the
    whole configuration
    for?

    Is there a way to prevent PDM from doing something like that?

    thanks for a hint or two

    Marc
     
    Marc Luethi, Feb 2, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.