PDM woes (yet another...)

Discussion in 'Cisco' started by Marc Luethi, Feb 2, 2005.

  1. Marc Luethi

    Marc Luethi Guest

    Hi all!


    FWSM Firewall Version 2.3(1)
    FWSM Device Manager Version 4.1(1)

    We have set up a few object-groups to set up management access to WAN
    routers outside the FWSM. It's something like this:

    static (inside,outside) <real ip> netmask

    and the object-group we want to use in the ACLs looks like this:

    object-group network nms_servers
    network-object host
    network-object host
    network-object host

    and of course:

    access-list 123 extended permit icmp object-group <sources group>
    object-group nms_servers object-group <icmp types group>

    You get the picture, pretty basic stuff, I think.

    After having run PDM, new object-groups have appeared, such as:

    object-group network nms_servers_real1
    network-object host <real ip>
    network-object host <real ip2>
    network-object host <real ip3>
    object-group network nms_servers_real1_ref4
    network-object host
    network-object host
    network-object host

    Apart from inflating the config file, there's nothing wrong with that.


    also access-list statements have been modified!
    they now read:

    access-list 123 extended permit icmp object-group <sources group>
    object-group nms_servers_real1_ref4 object-group <icmp types group>

    This is upsetting. What happens now if I'd like to modify the original
    object-group? will i have to re-run PDM to have it rewrite access-list
    123 to reflect the changes I have made to the groups? Or do it all
    exclusively via PDM from now on? *ieeeek*

    Am I missing something about PDMs inner workings here? I can't stand
    seeing software modifying what a user has configured - adding a line
    or two for itself is ok, but not changing things.

    And all this just because the CSO isnt' able to read and insists on
    having a colorful clickety thing to read the ACLs. Traffic monitoring
    is quite nice, I'll admit, but what does it have to go and rewrite the
    whole configuration

    Is there a way to prevent PDM from doing something like that?

    thanks for a hint or two

    Marc Luethi, Feb 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.