Null Rule

pshelfo1 · ‎06-21-2004

I am running PIX IOS 6.3(3) with PDM 3.0(1). Whenever I create an Access List in the PIX CLI the PDM displays the rule as any(Null Rule).

What does this mean and why?

jonathanstevens · ‎06-22-2004

To quote...

A null rule indicates that an access rule was configured for a host that is not visable on another interface. This rule is null because no traffic can flow between these two hosts even though the access rule would permit it.

This situation can happen when PDM reads an existing configuration with one of the following characteristics:

Inbound rules without a static translation

Outbound rules without NAT

No hosts or networks defined for either source or destination

I find I run into this a lot (it's one of the reasons I don't use the PDM for configuration), as I often have network based rules, but host based statics. The PDM won't match these up.

pspitadmin · ‎08-20-2004

I ran into this same situation. Can one trust that it won't fail? Upon creating the config using the CLI which was basically a copy and paste of a config created with the PDM, just tweaked to get some other things added. The PDM nulls all rules with a group. If you try to recreate it in the PDM it adds the following commands to the config.

object-group network XXXX_ref

network-object XXXX 255.255.255.255

access-list outside_access_in permit tcp any object-group XXXX_ref eq smtp

pdm group XXXX_ref outside reference XXXX

To me it looks like the PDM is saying that the server is now on the outside interface.