cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


5793
Views
20
Helpful
11
Replies
Highlighted
Beginner

ASA 8.3 - question to rename interface

Hi All,

Need your advise on procedure to rename ASA interface on live firewall.

I have prepared a workplan to rename an interface on ASA 8.3 as below.
Will there be any impact the existing live traffic going through the intrface?

======================================================
 \\ Original interface name

interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

access-list inside_access_in extended permit tcp object HOST-192.168.1.10 object net-DMZ-172.16.0.0-25 eq ftp 
access-list inside_access_in extended permit tcp object HOST-192.168.1.11 object HOST-172.16.0.130 eq https 
access-list inside_access_in extended permit tcp object HOST-192.168.1.12 object net-DMZ-172.16.0.0-25 eq ssh

mtu inside 1500

route inside 192.168.50.0 255.255.255.0 192.168.1.1 1
route inside 192.168.60.0 255.255.255.0 192.168.1.1 1

======================================================
 \\ ##STEP 1. Execute rename the interface using Cisco ASA ASDM

   Interface GigabitEthernet1
        nameif inside-NEWNAME

======================================================
 \\ Result After interface name changed

interface GigabitEthernet1
 nameif inside-NEWNAME
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2


access-list inside_access_in extended permit tcp object HOST-192.168.1.10 object net-DMZ-172.16.0.0-25 eq ftp 
access-list inside_access_in extended permit tcp object HOST-192.168.1.11 object HOST-172.16.0.130 eq https 
access-list inside_access_in extended permit tcp object HOST-192.168.1.12 object net-DMZ-172.16.0.0-25 eq ssh

mtu inside-NEWNAME 1500

route inside-NEWNAME 192.168.50.0 255.255.255.0 192.168.1.1 1
route inside-NEWNAME 192.168.60.0 255.255.255.0 192.168.1.1 1

access-group inside_access_in in interface inside-NEWNAME


======================================================


 \\ ##STEP 2. Execute using CLI to rename the access-list

   access-list inside_access_in rename inside-NEWNAME_access_in


Result:
------------
access-list inside-NEWNAME_access_in extended permit tcp object HOST-192.168.1.10 object net-DMZ-172.16.0.0-25 eq ftp 
access-list inside-NEWNAME_access_in extended permit tcp object HOST-192.168.1.11 object HOST-172.16.0.130 eq https 
access-list inside-NEWNAME_access_in extended permit tcp object HOST-192.168.1.12 object net-DMZ-172.16.0.0-25 eq ssh

access-group inside-NEWNAME_access_in in interface inside-NEWNAME

=========================================================

Thank you.
Fadzila

Everyone's tags (1)
11 REPLIES 11
Beginner

Hello FadzilaWell as soon as

Hello Fadzila

Well as soon as you remove the nameif inside all the configuration related to that interface will be gone, so it will cause a interruption on the live network.

So you should do this process on a maintenance window, it shouldn't take long if you have all the configuration just ready to paste. 

So make sure you have the nat rules as well cause are not included on this, so you can add the access rules before changing the nameif and then once it has been changed, proceed adding  the nats, routes and access group needed.

 

And also to remove the old access list you can do :

clear configure access-list access-list inside_access_in 

 

Hope this helps.

Beginner

Hi Lauzamor,Thank you for the

Hi Lauzamor,

Thank you for the reply.

But during step 1 - the moment I applied the name change on ASDM - I saw the following on the show run - it looks like the "access-group inside_access_in" automatically associated to new interface name "inside-NEWNAME".

The interface details, MTU and the route all automatically change to point to new interface name.

---------------------------------------------
interface GigabitEthernet1
 nameif inside-NEWNAME
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

mtu inside-NEWNAME 1500

route inside-NEWNAME 192.168.50.0 255.255.255.0 192.168.1.1 1
route inside-NEWNAME 192.168.60.0 255.255.255.0 192.168.1.1 1

access-group inside_access_in in interface inside-NEWNAME
-----------------------------------------------------------

So I was wonder if the traffic from inside interface will be processed correctly by this time.

Btw - i was testing this on ASA 8.4 using GNS3 lab. Would it be different if using 8.3 ?

Beginner

If this case keeping the same

If this case keeping the same access-list and just the firewall changing by itself everything related to the interface, the  impact should be minimum not even noticed because it will be a quickly change. 

The behavior wont change from 8.3 and higher versions, but I can double check the same scenario on my end. If you wish.

Beginner

Hi Lauzamor,Yes please help

Hi Lauzamor,

Yes please help double check on this. Thank you very much for assistance.

 

 

Beginner

Ok I will get back to you on

Ok I will get back to you on this.

Beginner

Hi Lauzamor,Although I

Hi Lauzamor,

Although I already have the answer from Jouni, I am interested to hear result from your test too. Thank you.

 

- Fadzila

 

Mentor

Hi, I don't personally do

Hi,

 

I don't personally do changes to ASA configurations through ASDM but the interface "nameif" change through CLI is a pretty simple change.

 

You will simply go to the configuration mode of the interface which name you want to change and issue the command "nameif <newname>". This change will update the name to any configurations that refers to the "nameif" so you wont have to configure any of the commands again that refer to the interface.

 

If you were to remove the "nameif" this would mean the interface could no more pass traffic as the "nameif" command is a requirement for an interface to pass traffic.

 

And as you have also noted, if you want to change the ACL name to something else you can use the mentioned command to "rename" the ACL and it wont have any effect on the firewall operation. You can also "rename" "object" configurations. The "object-group" however can't be renamed to my understanding.

 

None of these renaming configurations should affect the traffic flow through the ASA. I have done this change on below 8.3 software levels and I have also done a complete renaming in a critical hospital environment to the interface/ACL naming and there was no problem. Naturally it is still good to be carefull that you use the correct commands and dont remove anything in use by mistake.

 

- Jouni

Beginner

Hi Jouni,Thank you very much

Hi Jouni,

Thank you very much for feedback and advice.

Meaning all that I need to do is the following and there should be no impact to existing traffic.

I will inform this to my team mates :D

------------------------------------------------------------------

Step 1: 
 config t

Step 2:
 interface GigabitEthernet1
        nameif NEWNAME

 exit

Step 3:
 access-list inside_access_in rename NEWNAME_access_in

------------------------------------------------------------------

 

 

Mentor

Hi, Yes, that should be it. I

Hi,

 

Yes, that should be it.

 

I have done this on a couple of firewalls in active use and there were no effects on the user traffic that I know of. In those cases pretty much all interfaces were named again and also their ACLs as a part of cleaning up the configurations.

 

The Command Reference doesn't mention much related to the "nameif" command.  I guess the important thing in it (that I mentioned also) is that you should NOT remove the "nameif" command BUT just configure it using the new "nameif" value so that you dont remove any existing configurations.

 

- Jouni

Beginner

Thanks again Jouni. 

Thanks again Jouni. 

Mentor

Hi, No problem. Let us know

Hi,

 

No problem. Let us know how the change goes :)

 

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

 

- Jouni