cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
5
Replies

ACL ACE change implementations

michaelm18x
Level 1
Level 1

On ASA5520 with 7.2(2) does WRITE MEMORY command apply changes made in NAMES and/or associated outlined ACL/ACE/OBJECTGROUPS or is re-entry of any associated access-group command such as below required? If re-entry required, should NO paramenter be entered for related access-group command prior to re-entry of associated access-group command:

access-group acl-dmz1 in interface dmz1

5 Replies 5

rsmith
Level 3
Level 3

Not quite sure what you are asking...

The Name, ACL, etc. commands are activated and running after you hit the "enter" key when entering them. This configuration is stored in the "running-config" file.

Typing "Write Memory" just saves the "running-config" file to NVRAM, "startup-config", so when you reboot the device it reads the new configuration.

This is helpful in that if you enter a wrong command, and lose all access to the device, you can reboot and recover to a "pre-change" condition.

HTH.

Russ

Issue was that I performed ip address changes on several devices in NAMES area related to subnet relocations and associated ACLs. After it was confirmed that communication to new subnet was working, I was later informed that it was not and that this was possibly due to me not properly applying the change. But startup-config comparisons of my change vs. updated change do not show any coding differences. In addition, I am not being told exactly what I missed. Therefore I can only deduct that I may have missed the rebinding of the related access-group to its interface, thinking that this make the change effective. Is this a fair assumption?

I have not implemented any NAMES configuration, but I believe from the documentation that the NAMES table is separate from the configuration. Below is what I found in the command reference, and the URL:

clear configure name - Clears the list of names from the configuration.

names - Enables the association of a name with an IP address.

show running-config name - Displays the names associated with an IP address.

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/no_711.html#wp1607336

I stand corrected...my ip address change was to the ip address for each associated network-object host. So with such change would the associated interface have to be rebound/executed to activate the change:

Eg. fw# access-group acl-dmz4 in interface dmz4

Or would it be in effect immediately after the change of the ip address of the associated network objects?

Since you just changed the IP address of the object (network-object host x.x.x.x or network object "net_address" "mask"), those changes should be immediate. The ACL's read the object, so it should pick up the new IP entered. You should not need to remove and re-install the access-group command.

Your original issue regarding access may be in another area? (routes? NAT?)

Here is a URL re:Object Groups. It does not provide much more on the issue, though:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: