ACL ACE change implementations

Unanswered Question
Jun 6th, 2007
User Badges:

On ASA5520 with 7.2(2) does WRITE MEMORY command apply changes made in NAMES and/or associated outlined ACL/ACE/OBJECTGROUPS or is re-entry of any associated access-group command such as below required? If re-entry required, should NO paramenter be entered for related access-group command prior to re-entry of associated access-group command:

access-group acl-dmz1 in interface dmz1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rsmith@co.shast... Fri, 06/08/2007 - 08:09
User Badges:
  • Bronze, 100 points or more

Not quite sure what you are asking...

The Name, ACL, etc. commands are activated and running after you hit the "enter" key when entering them. This configuration is stored in the "running-config" file.

Typing "Write Memory" just saves the "running-config" file to NVRAM, "startup-config", so when you reboot the device it reads the new configuration.

This is helpful in that if you enter a wrong command, and lose all access to the device, you can reboot and recover to a "pre-change" condition.


HTH.


Russ


michaelm18x Fri, 06/08/2007 - 08:44
User Badges:

Issue was that I performed ip address changes on several devices in NAMES area related to subnet relocations and associated ACLs. After it was confirmed that communication to new subnet was working, I was later informed that it was not and that this was possibly due to me not properly applying the change. But startup-config comparisons of my change vs. updated change do not show any coding differences. In addition, I am not being told exactly what I missed. Therefore I can only deduct that I may have missed the rebinding of the related access-group to its interface, thinking that this make the change effective. Is this a fair assumption?

rsmith@co.shast... Fri, 06/08/2007 - 08:59
User Badges:
  • Bronze, 100 points or more

I have not implemented any NAMES configuration, but I believe from the documentation that the NAMES table is separate from the configuration. Below is what I found in the command reference, and the URL:


clear configure name - Clears the list of names from the configuration.


names - Enables the association of a name with an IP address.


show running-config name - Displays the names associated with an IP address.


http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/no_711.html#wp1607336


michaelm18x Fri, 06/08/2007 - 11:54
User Badges:

I stand corrected...my ip address change was to the ip address for each associated network-object host. So with such change would the associated interface have to be rebound/executed to activate the change:


Eg. fw# access-group acl-dmz4 in interface dmz4


Or would it be in effect immediately after the change of the ip address of the associated network objects?


rsmith@co.shast... Fri, 06/08/2007 - 12:21
User Badges:
  • Bronze, 100 points or more

Since you just changed the IP address of the object (network-object host x.x.x.x or network object "net_address" "mask"), those changes should be immediate. The ACL's read the object, so it should pick up the new IP entered. You should not need to remove and re-install the access-group command.

Your original issue regarding access may be in another area? (routes? NAT?)

Here is a URL re:Object Groups. It does not provide much more on the issue, though:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml


Actions

This Discussion