Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACL ACE change implementations

On ASA5520 with 7.2(2) does WRITE MEMORY command apply changes made in NAMES and/or associated outlined ACL/ACE/OBJECTGROUPS or is re-entry of any associated access-group command such as below required? If re-entry required, should NO paramenter be entered for related access-group command prior to re-entry of associated access-group command:

access-group acl-dmz1 in interface dmz1

5 REPLIES
Bronze

Re: ACL ACE change implementations

Not quite sure what you are asking...

The Name, ACL, etc. commands are activated and running after you hit the "enter" key when entering them. This configuration is stored in the "running-config" file.

Typing "Write Memory" just saves the "running-config" file to NVRAM, "startup-config", so when you reboot the device it reads the new configuration.

This is helpful in that if you enter a wrong command, and lose all access to the device, you can reboot and recover to a "pre-change" condition.

HTH.

Russ

Community Member

Re: ACL ACE change implementations

Issue was that I performed ip address changes on several devices in NAMES area related to subnet relocations and associated ACLs. After it was confirmed that communication to new subnet was working, I was later informed that it was not and that this was possibly due to me not properly applying the change. But startup-config comparisons of my change vs. updated change do not show any coding differences. In addition, I am not being told exactly what I missed. Therefore I can only deduct that I may have missed the rebinding of the related access-group to its interface, thinking that this make the change effective. Is this a fair assumption?

Bronze

Re: ACL ACE change implementations

I have not implemented any NAMES configuration, but I believe from the documentation that the NAMES table is separate from the configuration. Below is what I found in the command reference, and the URL:

clear configure name - Clears the list of names from the configuration.

names - Enables the association of a name with an IP address.

show running-config name - Displays the names associated with an IP address.

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/no_711.html#wp1607336

Community Member

Re: ACL ACE change implementations

I stand corrected...my ip address change was to the ip address for each associated network-object host. So with such change would the associated interface have to be rebound/executed to activate the change:

Eg. fw# access-group acl-dmz4 in interface dmz4

Or would it be in effect immediately after the change of the ip address of the associated network objects?

Bronze

Re: ACL ACE change implementations

Since you just changed the IP address of the object (network-object host x.x.x.x or network object "net_address" "mask"), those changes should be immediate. The ACL's read the object, so it should pick up the new IP entered. You should not need to remove and re-install the access-group command.

Your original issue regarding access may be in another area? (routes? NAT?)

Here is a URL re:Object Groups. It does not provide much more on the issue, though:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

150
Views
0
Helpful
5
Replies
CreatePlease to create content