topic Re: Reg. ASDM Object grouping in Network Security

Reg. ASDM Object grouping

ankurs2008 — Mon, 11 Mar 2019 17:52:01 GMT

In the ASDM

Objects -> Network objects/Groups

When we click on Add Network Object then consider the name which we specify is TEST1 and IP Address Range is 10.10.0.0 255.255.255.0 and we create one more Network Object and then we specify name as TEST2 and IP Address Range is 10.10.0.0 255.255.255.192 .Once we apply , then the previous network object TEST1] is replaced with the newer name [TEST2] .That means now there are 2 Network Objects entries with the same name in ASDM as shown below

TEST2 10.10.0.0 255.255.255.0
TEST2 10.10.0.0 255.255.255.192

This is equivalent to name command in CLI and doing a "sh name" will give single TEST2 with no subnet information over there

Hence please let me know if this is normal or is it a bug . I have found this in 6.3.1 , is this same in other versions as well ? Also is there any workaround to have 2 different names for similar IP Range with different mask with the above [other than the solution of creating object-group and assigning network-object to it , which i know will obviously work]

Re: Reg. ASDM Object grouping

Jennifer Halim — Fri, 28 May 2010 12:35:37 GMT

Definitely sounds like a bug.

Which version of ASA are you running? If you are running version 8.2.x or lower, I would recommend that you downgrade your ASDM to version 6.2.5.

Re: Reg. ASDM Object grouping

ankurs2008 — Fri, 28 May 2010 12:51:38 GMT

I am running 8.2.1 (18) code with ASDM 6.2 (1) , found this issue in this as well as one firewall having ASA 8.2.2 with ASDM 6.3.1 .Please let me know regarding the same

Re: Reg. ASDM Object grouping

Jennifer Halim — Fri, 28 May 2010 12:56:05 GMT

ASDM 6.3.1 is new and also to support ASA 8.3.1. Eventhough it is backward compatible, there seems to be a number of bugs with earlier version of ASA.

I would recommend that you downgrade the ASDM back to 6.2.5 since you are not running ASA 8.3.1.

Re: Reg. ASDM Object grouping

ankurs2008 — Sun, 30 May 2010 23:40:59 GMT

hi halijenn,

thanks for the reply ; however 8.2.1 (18) code with ASDM 6.2 (1) is also running and showing the same thing . Also i believe from the compatibilty matrix we can use ASDM 6.3.1 (which is recommended) with any of the 8.2 Versions .Can you please try this in lab or test with demo ASDM . Meanwhile i am also trying to figure out at my end . thanks a lot !

Re: Reg. ASDM Object grouping

Jennifer Halim — Mon, 31 May 2010 10:31:10 GMT

Hi Ankur,

I have tested it in the lab, and realise that the ASDM network object should not have a netmask field because the "name" command does not have subnet field. That is why your test is getting overriden with the later name that you configured (TEST2).

The "name" command only have the following fields:

name ip_address name [description text]]

Here is the command reference for "name" command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1747000

You can open a TAC case so ASDM bug can be raised.

Hope that helps to clarify your concern.

Re: Reg. ASDM Object grouping

ankurs2008 — Tue, 01 Jun 2010 00:45:56 GMT

Hi halijenn

I have tried with 6.2.5 ASDM code as well and the same results . Also there is subnet mask associated with the network-object while creating via ASDM and the same can be pulled into an access-list (via ASDM Browse option) to use any of those 2 names ; hence in this case even though 2 network-object having same name we can still pull our desired network-object into it . However via command line , in the "sh names" it will only show 1 name (though actually we have made 2 ) and when we will apply it in access-list (via CLI) we can utilize that name however we have to give subnet mask in ACL at that point of time .Hence , conclusion is : subnet mask of network-object useful in ASDM ; however not in the CLI .As this is almost on all ASDM i dont think it is a bug as otherwise ,it wud by now have been known by everybody .

Re: Reg. ASDM Object grouping

ankurs2008 — Wed, 02 Jun 2010 00:41:25 GMT

Hi halijenn

Please reply to my below query , thanks .

Re: Reg. ASDM Object grouping

Jennifer Halim — Wed, 02 Jun 2010 08:46:06 GMT

Hi Ankur,

There are 2 options when configuring object group via ASDM (the name is not very intuitive and does not match with CLI):

1) The name command on CLI --> Network Object

2) The object-group command on CLI --> Network Object Group

With the first one, as advised earlier, the name command on CLI does not have the subnet mask entry included. You can actually check that by creating a "Network Object" with the mask on ASDM, and when you click Apply, it will come up with a pop up box on what command is actually sent to the ASA, and it will not include the mask.

Example (Attached):

ASDM configuration for Network Object: ASDM-NetworkObject-name.JPG

CLI that is being sent to the ASA when clicking on the Apply button: CLI-sent-to-ASA.JPG

As you can see that on ASDM (Network Object) corresponds to the CLI (name command), and it does not include the subnet mask in the actual "name" command. On ASDM, it is more for your information on what subnet mask the object is, however, you can't really configure the same name with the same IP Subnet and differentiate between the 2 with subnet mask.