Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
42

ASA is doing math when I type in port ranges, rather than giving me a port range

I'm creating a network object in an asa 5506x gui, and I do 5000-5001 and it thinks I'm trying to input -1 as the port range. I know I could probably do it via command line and workaround this issue, but wondering if anyone has a solution.

48 comments
82% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1
Street Certified5 points · 3 months ago · edited 3 months ago

If I was a competing firewall vendor I'd copy paste the thread starters opening question onto my own firewalls testimonial page.

level 1

Enclose it in quotes?

Just a guess, this is clearly an idiotic bug.

ASA CLI is horrible, but give it to me any time over the GUI!

level 2
30 points · 3 months ago

I might look at the GUI, the day Cisco stops using Java.

level 3
15 points · 3 months ago

Yes i have a special hate for any developer making guis like that. WebGui only https, and don't use fucking flash either.. Fuck..

level 4
Network Engineer1 point · 3 months ago

To be fair, given the current Javascript (I mean ECMAScript, don't sue me Oracle!) ecosystem, I can see the draw of using Applets :P

My favorite stack has always been JSF/PrimeFaces.

level 3

Take a look at the FTD GUI, I imagine ASA isn't long for this world anymore.

level 4
Infosec (it's always the network...)1 point · 3 months ago

The FMC GUI is actually pretty sweet. There's some strangeness if you're using Chrome, maximized, and try to increase the width of a column (like in the ACL), but other than that one weird bug it's infinitely better than the fuckin ASA Java GUI.

level 5
2 points · 3 months ago

Yeah, except that whole part where on ASDM you hit "Apply" and it's done. On ASDM you hit "Deploy", select your device(s), then wait 5-8 minutes for it to be applied. That part of FMC drives me up a fucking wall. Especially when it's "Oops, I forgot to add a host to the Access Policy" - wait, make the change, deploy, wait 5-8 minutes again. It's fucking ridiculous.

level 6
Infosec (it's always the network...)2 points · 3 months ago

Yeah that part is annoying. It gets to 80% in ~30 seconds, then just sits there for ~6 minutes and just chills, as far as I can tell.

Still better than the conversation that happens at least once a week

"Hey, is anybody else in the ASA?"
"Yeah what's up"
"Dammit, I'm trying to apply this change. Did you make a change?"
"Uh... I don't remember if I applied it."
"OK let me know when you're done and I'll re-do my change."

...

level 7

I'm not sure if this is still a thing, but I remember years ago I needed to do something on an ASA, but a co-worker was doing a show access-list and was stopped halfway down. I pulled up the same access-list and it wouldn't let me browse it further than he was paused at.

level 3

Some of their guis use flash...

level 4

The ASA GUI?

level 5

ISE

level 6

ASA CLI is horrible, but give it to me any time over the GUI!

I might look at the GUI once Cisco stops using Java

Within context, I was confused.

ISE isn't any better though. :P

level 2
Original Poster1 point · 3 months ago

I tried quotes and paranthesis

level 3

Try quotes and parenthesis with an escape? Maybe try an apostrophe?

level 1
CCNP, CCNA Wireless, CCNA Security4 points · 3 months ago

I couldn't find a way to solve that bug. CLI is all you got I think.

level 1
CCNA CCDA7 points · 3 months ago

Sounds stupid, but maybe try a different key on the keyboard for the - symbol?

level 2
Original Poster4 points · 3 months ago · edited 3 months ago

Oh it's weird, like the source port works fine. I can do source port 775-776 and that works. Destination Port I get -1 because I guess it's adding them together, same symbol used. I even copied and pasted from source port.

level 3

Try just putting the first destination port

level 4
Original Poster1 point · 3 months ago

oh like and then doing the second after I save it?

level 5

On some firewalls if you put a range in the public port you only put the first port on the private and it will just do the range math for you since a range has to match sizes no matter what.

level 6
Original Poster1 point · 3 months ago

oh I see, I'll give that a shot thanks

level 3
-15 points · 3 months ago(2 children)
level 4

Thanks for your contribution.

level 1

asdm you mean?

level 2
Original Poster1 point · 3 months ago

yep

level 1

Happened to me today. Had to use CLI.

level 1
2 points · 3 months ago · edited 3 months ago

I know you said GUI but have you tried the CLI? If it still subtracts then maybe try preceding the - with a \ to escape the subtraction? I can't remember if Cisco does that but a lot of command lines do. It can't hurt to try.

Edit: give it a shot in the GUI too. Again, can't hurt to try.

level 1
esteemed fruit-loop-1 points · 3 months ago

ASA

GUI

... yea, no.

level 2
CCENT, CCDA, JNCIA, VCP46 points · 3 months ago

We use the CLI for initial setup and detailed troubleshooting. We use the ASDM for routine object, NAT, and ACL changes. They each have their benefits. Use the right tool for your needs I say.

level 2
CC&A25 points · 3 months ago

Yeah, how dare anyone use the tools Cisco designed and distributed to perform exactly what the OP is trying to accomplish. Shame!

level 3
esteemed fruit-loop13 points · 3 months ago

no.

You used the word "designed".

designed would imply that any amount of forethought and consideration went into the construction of the gui management tools for ASA, which it clearly did not.

level 4
CC&A1 point · 3 months ago

I get your point, but I suspect the design team behind it wouldn't appreciate it much.

level 5

LOL dude are you a Cisco shill?

If they designed a good GUI we wouldn't have this thread right now.

level 6
CC&A-1 points · 3 months ago

Yeah, that's me.

level 3
CCNA R&S, CCNA SEC, COMPTIAA A+, MCP10 points · 3 months ago

It's a pretty garbage gui.

level 4
CC&A15 points · 3 months ago

I don't disagree, but the CLI gatekeeping nonsense needs to stop.

level 5

Even when it's a garbage CLI? I don't think he was gatekeeping, especially because the thread is about the ASA GUI, which you agree is garbage.

Low effort comment, yeah but not gatekeeping, IMO

level 4

It's a pretty garbage CLI too...

level 5
CCNA R&S, CCNA SEC, COMPTIAA A+, MCP0 points · 3 months ago

Yea you right

level 3

Wait, if he is not generating the config in Ruby and then converting it and applying via python, then he is dead to me.

And barely a Jr Engineer at that.

/s

level 2

What you don’t like dm inlines?

level 3

You only get DM_INLINE if you try and do impossible things like put multiple objects in a single rule instead of using an object group. The ASA creates that group on your behalf because you couldn't be bothered to make one yourself.

In the time I managed ASAs using ASDM I never once had a problem with DM_INLINE appearing in the config.

level 4

We’re doing a migration and we have a strict no DM in line policy

level 4

Yeah... until that one tech is told to add rules to allow a new monitoring system and has to allow 15 different tcp and udp ports throughout your DMZ environment. Get ready to unwind that fucking mess when you get back.

level 2
Original Poster1 point · 3 months ago

hahahaha, always good for a laugh isn't it

Community Details

127k

Subscribers

392

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.