Re: CSPM 3.0 strict error checking

echee · ‎11-22-2001

I've tried CSPM 2.3.x and 3.0 to define a PIX object with overlapping subnets. Let say the subnet connecting to e0 is 10.5.0.0/16 and the subnet connecting to e1 is 10.5.5.0/24. In this case, the CSPM doesn't accept me. Is there any workaround or I need to give up CSPM? Due to historical reasons, I cannot alter the design of the subnets.

smahbub · ‎11-29-2001

Configuring that directly on the PIX will give you problems so that is why CSPM will not allow it. The PIX will be very confused as to which networks it owns where. Renumber that 10.5.5.0/24 subnet… make your own history.

brford · ‎11-29-2001

echee,

So CSPM has a setting that forces it to check the configuration before you write to the device. That used to be a check box. If you are sure that the overlapping subnet is your only issue I would disable the CSPM checking feature and then push the policy out. Remeber to turn it back on immediately after writing the device.

Liberty for All,

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

echee · ‎12-03-2001

Dear Brian,

Thanks for your reply. However, I can't even define the PIX object in the CSPM if the interfaces/networks attached to it is overlapped. Therefore, I can't further define the objects and the rulebase.

Thanks.

echee