cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1341
Views
0
Helpful
5
Replies
Frequent Contributor

Impact of Deleting interface from ASA

 

 

Hi Everyone,

 

During our maintenance window i need to delete few interfaces from ASA.

In ASDM when i filter by these interface names i see many acl configured for these interfaces but ACL have different name as compare to interface

name.

If i delete the interface will it also delete all those ACLs and any object groups configured under interface subnets?

Or

What else will be deleted when  i delete the interface from ASA?

 

Regards

MAhesh

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advocate

Everything that references

Everything that references the interface will be deleted.  So your ACLs should be fine unless you have referenced any interfaces in those access lists.  for example:

access-list TEST permit tcp interface inside any eq 80  <-- this statement will still be present but the reference to "inside" will be deleted.  I am testing this on version 8.4 so in later versions this line might be deleted.

All NAT statements that reference the interface will be deleted.

All service-policy configuration that references the interface will be deleted.

I would go out from the assumption that everything that references the interface that you delete will also be deleted.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
VIP Advocate

You would have to re write

You would have to re write that ACL entry as it will either be deleted or the reference to the inside interface will be deleted and the rest of the ACL will remain.  When I tested it my ACL remained but the name of the interface was removed.  As I mentioned I am testing this on an 8.4 box so it is possible that in newer versions this ACL will be deleted.

the access-group inside_access_in in interface inside command will be deleted once you delete the inside interface...actually you don't need to delete the inside interface for it to be deleted, you only need to remove the nameif command from the interface.  once the nameif is removed from the interface, all commands that reference that name will also be deleted.

This is why I stated that you should assume that all commands that reference the name of the interface you are deleting will also be deleted.  That would include, but not limited to, ACLs, NAT, Policy maps, and static routes...just to name a few.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
5 REPLIES 5
VIP Advocate

Everything that references

Everything that references the interface will be deleted.  So your ACLs should be fine unless you have referenced any interfaces in those access lists.  for example:

access-list TEST permit tcp interface inside any eq 80  <-- this statement will still be present but the reference to "inside" will be deleted.  I am testing this on version 8.4 so in later versions this line might be deleted.

All NAT statements that reference the interface will be deleted.

All service-policy configuration that references the interface will be deleted.

I would go out from the assumption that everything that references the interface that you delete will also be deleted.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Frequent Contributor

 Hi Marius, When you say

 

Hi Marius,

 

When you say reference will be deleted does it mean that below ACL will be present???

access-list TEST permit tcp  inside any eq 80

when i do sh access group on ASA it shows

access-group inside_access_in in interface inside

so if i delete the inside interface and do sh access-group will it still show the ACL

inside_access_in ?

 

Regards

MAhesh

 

VIP Advocate

You would have to re write

You would have to re write that ACL entry as it will either be deleted or the reference to the inside interface will be deleted and the rest of the ACL will remain.  When I tested it my ACL remained but the name of the interface was removed.  As I mentioned I am testing this on an 8.4 box so it is possible that in newer versions this ACL will be deleted.

the access-group inside_access_in in interface inside command will be deleted once you delete the inside interface...actually you don't need to delete the inside interface for it to be deleted, you only need to remove the nameif command from the interface.  once the nameif is removed from the interface, all commands that reference that name will also be deleted.

This is why I stated that you should assume that all commands that reference the name of the interface you are deleting will also be deleted.  That would include, but not limited to, ACLs, NAT, Policy maps, and static routes...just to name a few.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Frequent Contributor

 Many thanks Marius for reply

 

Many thanks Marius for reply back.

Best regards

Mahesh

Highlighted
Frequent Contributor

Re: You would have to re write

Hi Marius & gents,

 

Couple years later about the same question: multiple context on 9.6 I need to unassign an interface from one context and move it to another one.

I am in system execution space and about to enter:

context fw-lan
description LAN
 no allocate-interface Port-channel21.6 visible

 

Now on fw-lan context I have a bunch of related config to this interface Port-channel21.6:

 - access-group

 - nat 

 - object groups

I am concerned of any production impact for the firewall when removing the interface from context.

Cisco documentation on 9.6 multiple context DOES not mention of any warning for the NO allocate-interface command.

 

Thoughts?