topic Re: ACL ACE change implementations in Network Security

ACL ACE change implementations

michaelm18x — Mon, 11 Mar 2019 10:26:13 GMT

On ASA5520 with 7.2(2) does WRITE MEMORY command apply changes made in NAMES and/or associated outlined ACL/ACE/OBJECTGROUPS or is re-entry of any associated access-group command such as below required? If re-entry required, should NO paramenter be entered for related access-group command prior to re-entry of associated access-group command:

access-group acl-dmz1 in interface dmz1

Re: ACL ACE change implementations

rsmith — Fri, 08 Jun 2007 15:09:09 GMT

Not quite sure what you are asking...

The Name, ACL, etc. commands are activated and running after you hit the "enter" key when entering them. This configuration is stored in the "running-config" file.

Typing "Write Memory" just saves the "running-config" file to NVRAM, "startup-config", so when you reboot the device it reads the new configuration.

This is helpful in that if you enter a wrong command, and lose all access to the device, you can reboot and recover to a "pre-change" condition.

HTH.

Russ

Re: ACL ACE change implementations

michaelm18x — Fri, 08 Jun 2007 15:44:47 GMT

Issue was that I performed ip address changes on several devices in NAMES area related to subnet relocations and associated ACLs. After it was confirmed that communication to new subnet was working, I was later informed that it was not and that this was possibly due to me not properly applying the change. But startup-config comparisons of my change vs. updated change do not show any coding differences. In addition, I am not being told exactly what I missed. Therefore I can only deduct that I may have missed the rebinding of the related access-group to its interface, thinking that this make the change effective. Is this a fair assumption?

Re: ACL ACE change implementations

rsmith — Fri, 08 Jun 2007 15:59:03 GMT

I have not implemented any NAMES configuration, but I believe from the documentation that the NAMES table is separate from the configuration. Below is what I found in the command reference, and the URL:

clear configure name - Clears the list of names from the configuration.

names - Enables the association of a name with an IP address.

show running-config name - Displays the names associated with an IP address.

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/no_711.html#wp1607336

Re: ACL ACE change implementations

michaelm18x — Fri, 08 Jun 2007 18:54:54 GMT

I stand corrected...my ip address change was to the ip address for each associated network-object host. So with such change would the associated interface have to be rebound/executed to activate the change:

Eg. fw# access-group acl-dmz4 in interface dmz4

Or would it be in effect immediately after the change of the ip address of the associated network objects?

Re: ACL ACE change implementations

rsmith — Fri, 08 Jun 2007 19:21:56 GMT

Since you just changed the IP address of the object (network-object host x.x.x.x or network object "net_address" "mask"), those changes should be immediate. The ACL's read the object, so it should pick up the new IP entered. You should not need to remove and re-install the access-group command.

Your original issue regarding access may be in another area? (routes? NAT?)

Here is a URL re:Object Groups. It does not provide much more on the issue, though:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml