cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Migrating from ASA 8.2 makes double objects and rules

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
santonic
L5 Sessionator
‎06-27-2018 10:53 PM
‎06-27-2018 10:53 PM

Migrating from ASA 8.2 makes double objects and rules

I'm migrating configuration from ASA version 8.2 and I noticed that quite a lot of objects are doubled and also some rules are doubled. 

 

If I look at doubled objects 1 of them has 'default' under 'src File' coloumn and the other has config file name in that coloumn (filename matching the one i imported). I only imported this named config file. Where does 'default' come from?

 

And both objcts of this doubled pir are used so I'm assuming rules have been doubled for the same reason.

 

Anyone had similar issues?

0 Likes
Reply
Highlighted
alestevez
L7 Applicator
‎06-28-2018 01:17 AM
‎06-28-2018 01:17 AM

can it be the netmasks are different? You can merge by name and value....

0 Likes
Reply
Highlighted
santonic
L5 Sessionator
‎06-28-2018 01:22 AM
‎06-28-2018 01:22 AM

Nope, everything is the same, just src File field differs.

 

Capture.JPG

0 Likes
Reply
Highlighted
santonic
L5 Sessionator
‎06-28-2018 01:23 AM
‎06-28-2018 01:23 AM

Loading config later discards it anyway:

 

address -> mOltar-32 'mOltar-32' is already in use

address -> mOltar-32 mOltar-32 is invalid. Discarding

0 Likes
Reply
Highlighted
santonic
L5 Sessionator
‎06-28-2018 04:32 AM
‎06-28-2018 04:32 AM

Now I noticed it also didn't change destination zone to post DNAT zone in FW rules. Maybe cause the object isn't correct; it seems it created 2 same objects out of 1 object with no mask and also left the orginal one

 

Capture.JPG

 

And FW rules (connected with above post DNAT problem) allowing known services on TCP ports (www, smtp) have ipsec-esp as application:

 

Capture2.JPG

 

Corresponding NAT rule:

 

Capture3.JPG

0 Likes
Reply
Highlighted
BBartik
L1 Bithead
‎05-28-2020 06:07 AM
‎05-28-2020 06:07 AM

I know this is old but I believe the reason for Default is that the object is already part of a group in the ASA. If the SrcFile is equal to the filename, that means expedition has created the objects based on a rule.

 

Example: TCP port 9060 is part of an object group already. When you import the ASA config, Expedition creates a new object and SrcFile shows up as "Default". TCP 9061 is not in an object group but used in a rule. Expedition creates the object and marks the SrcFile as the filename.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks