×
all 48 comments

[–]KIMBOSLlCEStreet Certified 5 points6 points  (0 children)

If I was a competing firewall vendor I'd copy paste the thread starters opening question onto my own firewalls testimonial page.

[–]rankinrez 16 points17 points  (14 children)

Enclose it in quotes?

Just a guess, this is clearly an idiotic bug.

ASA CLI is horrible, but give it to me any time over the GUI!

[–]krux702 29 points30 points  (11 children)

I might look at the GUI, the day Cisco stops using Java.

[–]djamp42 13 points14 points  (1 child)

Yes i have a special hate for any developer making guis like that. WebGui only https, and don't use fucking flash either.. Fuck..

[–]zachpulsNetwork Engineer 0 points1 point  (0 children)

To be fair, given the current Javascript (I mean ECMAScript, don't sue me Oracle!) ecosystem, I can see the draw of using Applets :P

My favorite stack has always been JSF/PrimeFaces.

[–]Strahd414 5 points6 points  (4 children)

Take a look at the FTD GUI, I imagine ASA isn't long for this world anymore.

[–]Pandemic21 0 points1 point  (3 children)

The FMC GUI is actually pretty sweet. There's some strangeness if you're using Chrome, maximized, and try to increase the width of a column (like in the ACL), but other than that one weird bug it's infinitely better than the fuckin ASA Java GUI.

[–]Rex9 1 point2 points  (2 children)

Yeah, except that whole part where on ASDM you hit "Apply" and it's done. On ASDM you hit "Deploy", select your device(s), then wait 5-8 minutes for it to be applied. That part of FMC drives me up a fucking wall. Especially when it's "Oops, I forgot to add a host to the Access Policy" - wait, make the change, deploy, wait 5-8 minutes again. It's fucking ridiculous.

[–]Pandemic21 1 point2 points  (1 child)

Yeah that part is annoying. It gets to 80% in ~30 seconds, then just sits there for ~6 minutes and just chills, as far as I can tell.

Still better than the conversation that happens at least once a week

"Hey, is anybody else in the ASA?"
"Yeah what's up"
"Dammit, I'm trying to apply this change. Did you make a change?"
"Uh... I don't remember if I applied it."
"OK let me know when you're done and I'll re-do my change."

...

[–]Strahd414 0 points1 point  (0 children)

I'm not sure if this is still a thing, but I remember years ago I needed to do something on an ASA, but a co-worker was doing a show access-list and was stopped halfway down. I pulled up the same access-list and it wouldn't let me browse it further than he was paused at.

[–]heathenyak 1 point2 points  (3 children)

Some of their guis use flash...

[–]PM-ME-D_CK-PICS 0 points1 point  (2 children)

The ASA GUI?

[–]heathenyak 1 point2 points  (1 child)

ISE

[–]PM-ME-D_CK-PICS 0 points1 point  (0 children)

ASA CLI is horrible, but give it to me any time over the GUI!

I might look at the GUI once Cisco stops using Java

Within context, I was confused.

ISE isn't any better though. :P

[–]InterJet[S] 0 points1 point  (1 child)

I tried quotes and paranthesis

[–]jack_perignon 0 points1 point  (0 children)

Try quotes and parenthesis with an escape? Maybe try an apostrophe?

[–]gotfcgo 3 points4 points  (0 children)

I couldn't find a way to solve that bug. CLI is all you got I think.

[–]tylervaloCCNA CCDA 6 points7 points  (8 children)

Sounds stupid, but maybe try a different key on the keyboard for the - symbol?

[–]InterJet[S] 3 points4 points  (7 children)

Oh it's weird, like the source port works fine. I can do source port 775-776 and that works. Destination Port I get -1 because I guess it's adding them together, same symbol used. I even copied and pasted from source port.

[–]almostdvs 0 points1 point  (3 children)

Try just putting the first destination port

[–]InterJet[S] 0 points1 point  (2 children)

oh like and then doing the second after I save it?

[–]almostdvs 0 points1 point  (1 child)

On some firewalls if you put a range in the public port you only put the first port on the private and it will just do the range math for you since a range has to match sizes no matter what.

[–]InterJet[S] 0 points1 point  (0 children)

oh I see, I'll give that a shot thanks

[–]gotnikes 2 points3 points  (1 child)

asdm you mean?

[–]csalles1 2 points3 points  (0 children)

Happened to me today. Had to use CLI.

[–]w00ten 1 point2 points  (0 children)

I know you said GUI but have you tried the CLI? If it still subtracts then maybe try preceding the - with a \ to escape the subtraction? I can't remember if Cisco does that but a lot of command lines do. It can't hurt to try.

Edit: give it a shot in the GUI too. Again, can't hurt to try.

[–]asdlkfesteemed fruit-loop -2 points-1 points  (17 children)

ASA

GUI

... yea, no.

[–]gr33nmonk3yCCENT, CCDA, JNCIA, VCP4 5 points6 points  (0 children)

We use the CLI for initial setup and detailed troubleshooting. We use the ASDM for routine object, NAT, and ACL changes. They each have their benefits. Use the right tool for your needs I say.

[–]chefjlCC&A 23 points24 points  (10 children)

Yeah, how dare anyone use the tools Cisco designed and distributed to perform exactly what the OP is trying to accomplish. Shame!

[–]asdlkfesteemed fruit-loop 9 points10 points  (3 children)

no.

You used the word "designed".

designed would imply that any amount of forethought and consideration went into the construction of the gui management tools for ASA, which it clearly did not.

[–]chefjlCC&A 0 points1 point  (2 children)

I get your point, but I suspect the design team behind it wouldn't appreciate it much.

[–]PM-ME-D_CK-PICS -2 points-1 points  (1 child)

LOL dude are you a Cisco shill?

If they designed a good GUI we wouldn't have this thread right now.

[–]chefjlCC&A -2 points-1 points  (0 children)

Yeah, that's me.

[–]halofreak8899CCNA R&S, CCNA SEC, COMPTIAA A+, MCP 8 points9 points  (4 children)

It's a pretty garbage gui.

[–]chefjlCC&A 13 points14 points  (1 child)

I don't disagree, but the CLI gatekeeping nonsense needs to stop.

[–]PM-ME-D_CK-PICS -1 points0 points  (0 children)

Even when it's a garbage CLI? I don't think he was gatekeeping, especially because the thread is about the ASA GUI, which you agree is garbage.

Low effort comment, yeah but not gatekeeping, IMO

[–]error404J 1 point2 points  (1 child)

It's a pretty garbage CLI too...

[–]halofreak8899CCNA R&S, CCNA SEC, COMPTIAA A+, MCP -1 points0 points  (0 children)

Yea you right

[–]jimothyjones 4 points5 points  (0 children)

Wait, if he is not generating the config in Ruby and then converting it and applying via python, then he is dead to me.

And barely a Jr Engineer at that.

/s

[–]robertito42 5 points6 points  (3 children)

What you don’t like dm inlines?

[–]ryankearney 2 points3 points  (2 children)

You only get DM_INLINE if you try and do impossible things like put multiple objects in a single rule instead of using an object group. The ASA creates that group on your behalf because you couldn't be bothered to make one yourself.

In the time I managed ASAs using ASDM I never once had a problem with DM_INLINE appearing in the config.

[–]robertito42 0 points1 point  (0 children)

We’re doing a migration and we have a strict no DM in line policy

[–]ehcanada 0 points1 point  (0 children)

Yeah... until that one tech is told to add rules to allow a new monitoring system and has to allow 15 different tcp and udp ports throughout your DMZ environment. Get ready to unwind that fucking mess when you get back.

[–]InterJet[S] 0 points1 point  (0 children)

hahahaha, always good for a laugh isn't it