07-16-2014 07:22 AM - edited 03-11-2019 09:28 PM
Hi All,
Need your advise on procedure to rename ASA interface on live firewall.
I have prepared a workplan to rename an interface on ASA 8.3 as below.
Will there be any impact the existing live traffic going through the intrface?
======================================================
\\ Original interface name
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
access-list inside_access_in extended permit tcp object HOST-192.168.1.10 object net-DMZ-172.16.0.0-25 eq ftp
access-list inside_access_in extended permit tcp object HOST-192.168.1.11 object HOST-172.16.0.130 eq https
access-list inside_access_in extended permit tcp object HOST-192.168.1.12 object net-DMZ-172.16.0.0-25 eq ssh
mtu inside 1500
route inside 192.168.50.0 255.255.255.0 192.168.1.1 1
route inside 192.168.60.0 255.255.255.0 192.168.1.1 1
======================================================
\\ ##STEP 1. Execute rename the interface using Cisco ASA ASDM
Interface GigabitEthernet1
nameif inside-NEWNAME
======================================================
\\ Result After interface name changed
interface GigabitEthernet1
nameif inside-NEWNAME
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
access-list inside_access_in extended permit tcp object HOST-192.168.1.10 object net-DMZ-172.16.0.0-25 eq ftp
access-list inside_access_in extended permit tcp object HOST-192.168.1.11 object HOST-172.16.0.130 eq https
access-list inside_access_in extended permit tcp object HOST-192.168.1.12 object net-DMZ-172.16.0.0-25 eq ssh
mtu inside-NEWNAME 1500
route inside-NEWNAME 192.168.50.0 255.255.255.0 192.168.1.1 1
route inside-NEWNAME 192.168.60.0 255.255.255.0 192.168.1.1 1
access-group inside_access_in in interface inside-NEWNAME
======================================================
\\ ##STEP 2. Execute using CLI to rename the access-list
access-list inside_access_in rename inside-NEWNAME_access_in
Result:
------------
access-list inside-NEWNAME_access_in extended permit tcp object HOST-192.168.1.10 object net-DMZ-172.16.0.0-25 eq ftp
access-list inside-NEWNAME_access_in extended permit tcp object HOST-192.168.1.11 object HOST-172.16.0.130 eq https
access-list inside-NEWNAME_access_in extended permit tcp object HOST-192.168.1.12 object net-DMZ-172.16.0.0-25 eq ssh
access-group inside-NEWNAME_access_in in interface inside-NEWNAME
=========================================================
Thank you.
Fadzila
07-16-2014 07:27 PM
Hello Fadzila
Well as soon as you remove the nameif inside all the configuration related to that interface will be gone, so it will cause a interruption on the live network.
So you should do this process on a maintenance window, it shouldn't take long if you have all the configuration just ready to paste.
So make sure you have the nat rules as well cause are not included on this, so you can add the access rules before changing the nameif and then once it has been changed, proceed adding the nats, routes and access group needed.
And also to remove the old access list you can do :
clear configure access-list access-list inside_access_in
Hope this helps.
07-16-2014 07:53 PM
Hi Lauzamor,
Thank you for the reply.
But during step 1 - the moment I applied the name change on ASDM - I saw the following on the show run - it looks like the "access-group inside_access_in" automatically associated to new interface name "inside-NEWNAME".
The interface details, MTU and the route all automatically change to point to new interface name.
---------------------------------------------
interface GigabitEthernet1
nameif inside-NEWNAME
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
mtu inside-NEWNAME 1500
route inside-NEWNAME 192.168.50.0 255.255.255.0 192.168.1.1 1
route inside-NEWNAME 192.168.60.0 255.255.255.0 192.168.1.1 1
access-group inside_access_in in interface inside-NEWNAME
-----------------------------------------------------------
So I was wonder if the traffic from inside interface will be processed correctly by this time.
Btw - i was testing this on ASA 8.4 using GNS3 lab. Would it be different if using 8.3 ?
07-16-2014 08:07 PM
If this case keeping the same access-list and just the firewall changing by itself everything related to the interface, the impact should be minimum not even noticed because it will be a quickly change.
The behavior wont change from 8.3 and higher versions, but I can double check the same scenario on my end. If you wish.
07-16-2014 08:09 PM
Hi Lauzamor,
Yes please help double check on this. Thank you very much for assistance.
07-16-2014 08:31 PM
Ok I will get back to you on this.
07-20-2014 07:20 PM
Hi Lauzamor,
Although I already have the answer from Jouni, I am interested to hear result from your test too. Thank you.
- Fadzila
07-16-2014 11:21 PM
Hi,
I don't personally do changes to ASA configurations through ASDM but the interface "nameif" change through CLI is a pretty simple change.
You will simply go to the configuration mode of the interface which name you want to change and issue the command "nameif <newname>". This change will update the name to any configurations that refers to the "nameif" so you wont have to configure any of the commands again that refer to the interface.
If you were to remove the "nameif" this would mean the interface could no more pass traffic as the "nameif" command is a requirement for an interface to pass traffic.
And as you have also noted, if you want to change the ACL name to something else you can use the mentioned command to "rename" the ACL and it wont have any effect on the firewall operation. You can also "rename" "object" configurations. The "object-group" however can't be renamed to my understanding.
None of these renaming configurations should affect the traffic flow through the ASA. I have done this change on below 8.3 software levels and I have also done a complete renaming in a critical hospital environment to the interface/ACL naming and there was no problem. Naturally it is still good to be carefull that you use the correct commands and dont remove anything in use by mistake.
- Jouni
07-20-2014 07:16 PM
Hi Jouni,
Thank you very much for feedback and advice.
Meaning all that I need to do is the following and there should be no impact to existing traffic.
I will inform this to my team mates :D
------------------------------------------------------------------
Step 1:
config t
Step 2:
interface GigabitEthernet1
nameif NEWNAME
exit
Step 3:
access-list inside_access_in rename NEWNAME_access_in
------------------------------------------------------------------
07-20-2014 11:16 PM
Hi,
Yes, that should be it.
I have done this on a couple of firewalls in active use and there were no effects on the user traffic that I know of. In those cases pretty much all interfaces were named again and also their ACLs as a part of cleaning up the configurations.
The Command Reference doesn't mention much related to the "nameif" command. I guess the important thing in it (that I mentioned also) is that you should NOT remove the "nameif" command BUT just configure it using the new "nameif" value so that you dont remove any existing configurations.
- Jouni
07-20-2014 11:23 PM
Thanks again Jouni.
07-21-2014 12:27 AM
Hi,
No problem. Let us know how the change goes :)
Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide