ASA - Update "name" without interfering with existing ACL

Unanswered Question
Sep 14th, 2010

hey all, have a customer using the "name" feature where IP is mapped to a name. basically, the name is used everywhere including the acl. we just need to update the IP associated with the name but here is the problem (when using two approaches).

remove name

add back in name with new ip

result: acl stays in tact but instead of having the name, it is now using the original IP in the acl; so acl is completely wrong

disable "names" globally

update the name with the new ip

enable :names" globally

result: acl stays in tact but instead of having the name, it is now using the original IP; so acl is completely wrong

i know someone has an easy way of doing this.

thanks in advance!

-robert

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Tue, 09/14/2010 - 17:27

Hey Robert,

What happens when you just add the command for with name NEW_IP without disabling "names"? Have you tried doing the above using ASDM?

Regards,

Prapanch

Robert Ho Tue, 09/14/2010 - 18:20

I wish! It gives an error "ERROR: 'TEST_NAME' is already mapped to 10.10.10.1

I'm just trying to avoid creating a new name and updating all the ACL's (about 40 names and a ton of ACL lines).

Thank you!

Kureli Sankar Tue, 09/14/2010 - 19:47

The only way I can think of is this.

schedule some down time.

1. issue "clear config access-list "

2. change all IPs in the names.

3. sh start | i access-list

4. paste the acl back to the config

-KS

michael.d.carmody Tue, 05/17/2011 - 21:36

You can also do this from the ASDM, in the addresses tab on the right hand sidebar in the configuration section. find the appropriate network object, right click on it, and select "Edit". You can then change the IP address and/or the name, and the updated name and IP address will replace all appropriate entries in the access lists and NAT entries.

Attachment: 
golly_wog Wed, 05/18/2011 - 08:55

Hi Robert

I believe that names are just used for clarity in the config, where an IP address can be read as a meaningful name, rather than IP address.Look at is as the ASA will tranlate the IP to the name for your easy reading, under the hood the IP is stored, for this reason the following will happen

If you remove the name then the ACL will still remain, with the IP address.

My advice would be.

1. Remove the name

2. Add new lines to the ACL with the new IP address, you can easily find the current lines with a "sh run | i IP_ADDRESS" command

3. Remove the lines that referenced the IP address that are not needed (no access-list....)

4. Add the new name command -

cheers

Actions

This Discussion