Thanks to Walter for his exhaustive explanations about the use of nested groups for IPsec rules in the PIX.
What I'm reporting now is that the PDM doesn't accept nested groups for ACL on interfaces for incoming traffic. It doesn't show the nested group within the dialog box either to create an ACL for incoming traffic or to modify an existing one.
The PDM shows that rule as a "Null-rule" but I don't know why.
I created 2 groups A and B.
The A group is made by network objects The B group is made by network objects plus a object-group.
As the groups are used on int_A to build a IPsec tunnel, the 1st thing I took care of was to specify which traffic to exempt from the translation when it flows between the 2 interfaces (int_A and int_B) which the 2 groups stay namely behind. So
access-list intA_nat0_outbound permit ip object-group A object-group B nat(intA) 0 access-list intA_nat0_outbound
and
access-list intB_nat0_outbound permit ip object-group B object-group A nat(intB) 0 access-list intB_nat0_outbound
then I applied the following ACLs
access-list intA_access_in permit icmp object-group A object-group B access-list intB_access_in permit icmp object-group B object-group A
But the 2nd is displayed as "Null rule" on the PDM (and not all the 2!)
All the networks don't overlaps among themselves (Eventually do you know how to see how groups are expanded by PIX?)
Have you any idea?
TIA
Alex