Solved: Re: Can't create network objects on ASA 5505

robert.brady · ‎05-18-2011

Hi,

I have a bit of a strange issue. I have a customer an exisiting 5505 which connects to multiple sites for a site-to-site VPN. This firewall was not installed by myself originally I have just been asked to take a look now.

The situation is that we now need to edit one of the existing site-to-site VPNs to include the remote sites expanded network. I have tried doing this through the ASDM and have found that I cannot add new network objects. I have tried creating a new network object group and then added the new networks from there but I am completely unable to add the new objects.

I believe a picture tells a thousand words in this case so I have attached some images which show the problem.

I have also tried going through the VPN wizard, this also does not allow me to add new network objects. It is also not possible to amend existing objects.

Maykol Rojas · ‎05-18-2011

Hi,

I am not sure if you are confused. There are 2 types of objects that you can do on the ASA firewall. Version 8.2 and below, they only support object-groups, where you can add an object-network inside of it, like this one right here:

object-group network test
network-object 10.10.10.0 255.255.255.0

Version 8.3 and newer versions, they support object network, where you also are able to put a subnet on it or a host, just like this:

object network Private200
host 10.0.0.200

Object-groups should be used for ACL and stuff like that, object network sould be use for Nat translations etc. If you want to modify your VPN tunnel, I would suggest you to create an object-group with the desired network objects inside of it and add it to the Interesting traffic ACL.

Mostlikely you are not able to see the object network type because you are running a version that is not 8.3 or higher.

Hope it helps.

Mike

View solution in original post

Maykol Rojas · ‎05-18-2011

Hi,

I am not sure if you are confused. There are 2 types of objects that you can do on the ASA firewall. Version 8.2 and below, they only support object-groups, where you can add an object-network inside of it, like this one right here:

object-group network test
network-object 10.10.10.0 255.255.255.0

Version 8.3 and newer versions, they support object network, where you also are able to put a subnet on it or a host, just like this:

object network Private200
host 10.0.0.200

Object-groups should be used for ACL and stuff like that, object network sould be use for Nat translations etc. If you want to modify your VPN tunnel, I would suggest you to create an object-group with the desired network objects inside of it and add it to the Interesting traffic ACL.

Mostlikely you are not able to see the object network type because you are running a version that is not 8.3 or higher.

Hope it helps.

Mike

robert.brady · ‎05-19-2011

Hi Mike,

That is great. It clears the issue up somewhat. I managed to create a new object group through the CLI and add the new network. The software running on the ASA was 8.1 I think.

I have successfully amended the VPN now.

Much appreciated,

Robert Brady.