Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2669
Views
0
Helpful
5
Replies

ASA - Update "name" without interfering with existing ACL

Robert Ho
Level 1
Level 1

‎09-14-2010 04:36 PM - edited ‎03-11-2019 11:40 AM

hey all, have a customer using the "name" feature where IP is mapped to a name. basically, the name is used everywhere including the acl. we just need to update the IP associated with the name but here is the problem (when using two approaches).

remove name

add back in name with new ip

result: acl stays in tact but instead of having the name, it is now using the original IP in the acl; so acl is completely wrong

disable "names" globally

update the name with the new ip

enable :names" globally

result: acl stays in tact but instead of having the name, it is now using the original IP; so acl is completely wrong

i know someone has an easy way of doing this.

thanks in advance!

-robert

Labels:
0 Helpful
5 Replies 5

praprama
Cisco Employee
Cisco Employee

‎09-14-2010 05:27 PM

Hey Robert,

What happens when you just add the command for with name NEW_IP without disabling "names"? Have you tried doing the above using ASDM?

Regards,

Prapanch

0 Helpful

Robert Ho
Level 1
Level 1
In response to praprama

‎09-14-2010 06:20 PM

I wish! It gives an error "ERROR: 'TEST_NAME' is already mapped to 10.10.10.1

I'm just trying to avoid creating a new name and updating all the ACL's (about 40 names and a ton of ACL lines).

Thank you!

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Robert Ho

‎09-14-2010 07:47 PM

The only way I can think of is this.

schedule some down time.

1. issue "clear config access-list "

2. change all IPs in the names.

3. sh start | i access-list

4. paste the acl back to the config

-KS

0 Helpful

michael.d.carmody
Level 1
Level 1
In response to Kureli Sankar

‎05-17-2011 09:36 PM

You can also do this from the ASDM, in the addresses tab on the right hand sidebar in the configuration section. find the appropriate network object, right click on it, and select "Edit". You can then change the IP address and/or the name, and the updated name and IP address will replace all appropriate entries in the access lists and NAT entries.

Preview file
21 KB
0 Helpful

golly_wog
Level 1
Level 1

‎05-18-2011 08:55 AM

Hi Robert

I believe that names are just used for clarity in the config, where an IP address can be read as a meaningful name, rather than IP address.Look at is as the ASA will tranlate the IP to the name for your easy reading, under the hood the IP is stored, for this reason the following will happen

If you remove the name then the ACL will still remain, with the IP address.

My advice would be.

1. Remove the name

2. Add new lines to the ACL with the new IP address, you can easily find the current lines with a "sh run | i IP_ADDRESS" command

3. Remove the lines that referenced the IP address that are not needed (no access-list....)

4. Add the new name command -

cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card