08-19-2004 11:13 AM - edited 03-09-2019 08:31 AM
I have a few PIX 515 firewalls running code 6.3.3. The PIXes automatically generate "PDM location X.X.X.X X.X.X.X inside and outside" statements based of of interfaces and static translations.
It seems odd that the OS would generate these automatically based on any IP it can identify.
How do I turn off this "feature" so that only the PDM location I tell it to use is allowed?
08-19-2004 12:01 PM
I think it is:
no pdm history enable
08-20-2004 03:01 AM
Hi,
It's a combination. The pix finds all locations a pdm session could start from. The http x.x.x.x x.x.x.x
command decides who can actually use pdm.
The PDM location lines are for bookkeeping.
Documentation : Cisco Pix Firewall Command Reference version 6.3 page 7-40
Greetz,
Sjouke de Vries
08-20-2004 03:57 AM
And hear is a reply from Cisco TAC on PDM location generation:
A PDM location is a pure book keeping command used by PDM to build its topology
database.
It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common
misunderstanding.
The control is done by the command "http
Why do we need it?
In PDM's world, policy (those rules) is built on top of topology.
Ideally user creates the topology first via the Host/Network tab, then
configures policy else where (like Access Rule tab).
A network object exists by itself, even if there is no policy configured directly on it
at a particular time.
We use "pdm location" command to remember the location
of a network object.
Hope the above explains it -
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide