Re: Auto Generation of PDM Location Statements

pshelfo1 · ‎08-19-2004

I have a few PIX 515 firewalls running code 6.3.3. The PIXes automatically generate "PDM location X.X.X.X X.X.X.X inside and outside" statements based of of interfaces and static translations.

It seems odd that the OS would generate these automatically based on any IP it can identify.

How do I turn off this "feature" so that only the PDM location I tell it to use is allowed?

piseli · ‎08-19-2004

I think it is:

no pdm history enable

sjouke · ‎08-20-2004

Hi,

It's a combination. The pix finds all locations a pdm session could start from. The http x.x.x.x x.x.x.x

command decides who can actually use pdm.

The PDM location lines are for bookkeeping.

Documentation : Cisco Pix Firewall Command Reference version 6.3 page 7-40

Greetz,

Sjouke de Vries

jmia · ‎08-20-2004

And hear is a reply from Cisco TAC on PDM location generation:

A PDM location is a pure book keeping command used by PDM to build its topology

database.

It has nothing to do with the PIX's functionalities. In particular, it does **NOT** control which host can access PDM which is a common

misunderstanding.

The control is done by the command "http ".

Why do we need it?

In PDM's world, policy (those rules) is built on top of topology.

Ideally user creates the topology first via the Host/Network tab, then

configures policy else where (like Access Rule tab).

A network object exists by itself, even if there is no policy configured directly on it

at a particular time.

We use "pdm location" command to remember the location

of a network object.

Hope the above explains it -

Jay