06-06-2007 04:53 PM - edited 03-11-2019 03:26 AM
On ASA5520 with 7.2(2) does WRITE MEMORY command apply changes made in NAMES and/or associated outlined ACL/ACE/OBJECTGROUPS or is re-entry of any associated access-group command such as below required? If re-entry required, should NO paramenter be entered for related access-group command prior to re-entry of associated access-group command:
access-group acl-dmz1 in interface dmz1
06-08-2007 08:09 AM
Not quite sure what you are asking...
The Name, ACL, etc. commands are activated and running after you hit the "enter" key when entering them. This configuration is stored in the "running-config" file.
Typing "Write Memory" just saves the "running-config" file to NVRAM, "startup-config", so when you reboot the device it reads the new configuration.
This is helpful in that if you enter a wrong command, and lose all access to the device, you can reboot and recover to a "pre-change" condition.
HTH.
Russ
06-08-2007 08:44 AM
Issue was that I performed ip address changes on several devices in NAMES area related to subnet relocations and associated ACLs. After it was confirmed that communication to new subnet was working, I was later informed that it was not and that this was possibly due to me not properly applying the change. But startup-config comparisons of my change vs. updated change do not show any coding differences. In addition, I am not being told exactly what I missed. Therefore I can only deduct that I may have missed the rebinding of the related access-group to its interface, thinking that this make the change effective. Is this a fair assumption?
06-08-2007 08:59 AM
I have not implemented any NAMES configuration, but I believe from the documentation that the NAMES table is separate from the configuration. Below is what I found in the command reference, and the URL:
clear configure name - Clears the list of names from the configuration.
names - Enables the association of a name with an IP address.
show running-config name - Displays the names associated with an IP address.
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/no_711.html#wp1607336
06-08-2007 11:54 AM
I stand corrected...my ip address change was to the ip address for each associated network-object host. So with such change would the associated interface have to be rebound/executed to activate the change:
Eg. fw# access-group acl-dmz4 in interface dmz4
Or would it be in effect immediately after the change of the ip address of the associated network objects?
06-08-2007 12:21 PM
Since you just changed the IP address of the object (network-object host x.x.x.x or network object "net_address" "mask"), those changes should be immediate. The ACL's read the object, so it should pick up the new IP entered. You should not need to remove and re-install the access-group command.
Your original issue regarding access may be in another area? (routes? NAT?)
Here is a URL re:Object Groups. It does not provide much more on the issue, though:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide