Solved: ASA object question

bstern000 · ‎07-08-2015

I apologize if this has already been answered somewhere, but I can not find a response to this question:

Assume an ASA firewall has a rule R: permit 1.1.1.1 to 2.2.2.2 with service A

And I have created a service-group G which includes services A and B

If I removed R and replaced it with a new rule: permit 1.1.1.1 2.2.2.2 with service-group G, then pushed the config

would connections from 1.1.1.1 to 2.2.2.2 using service A be interrupted, or would the firewall maintain current service A connections without interruption?

Thanks,

Ben

rizwanr74 · ‎07-08-2015

It will be interrupted if you do it as per line 5 and 6, it is best you add the new line first and remove the old after.

thanks

View solution in original post

James Leinweber · ‎07-08-2015

To be more specific, existing connections with xlate entries should continue. The brief interruption would be for new connections; if the old rule is deleted before the new rule is added and you don't have asp rule-engine transactional-commit access-group turned on or you don't submit the commands all at once.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

rizwanr74 · ‎07-08-2015

"If I removed R and replaced it with a new rule: permit 1.1.1.1 2.2.2.2 with service-group G, then pushed the config would connections from 1.1.1.1 to 2.2.2.2 using service A be interrupted, or would the firewall maintain current service A connections without interruption?"

If you add the new rule, before deleting the old one, then there is no interruption to traffic.

If you remove the rule "R" and and then you add new rule after that includes the same permit line as in in rule "R", then there is an interruption for the durtion of removing and adding the new rule.

Hope that answers your question.

thanks

bstern000 · ‎07-08-2015

So what about the following more specific example:

If the firewall currently has an ACE of

access-list interface1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 22

as its first entry and we run the following commands

object-group service "G"
service-object tcp eq 22
service-object tcp eq 25
exit
no access-list interface1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 22
access-list interface1 line 1 extended permit object-group "G" host 1.1.1.1 host 2.2.2.2
end
wr mem

Connections will not be interrupted because they are applied at the same time? Or does the order need to be command 6 before 5?

rizwanr74 · ‎07-08-2015

It will be interrupted if you do it as per line 5 and 6, it is best you add the new line first and remove the old after.

thanks

bstern000 · ‎07-08-2015

Thank you

James Leinweber · ‎07-08-2015

To be more specific, existing connections with xlate entries should continue. The brief interruption would be for new connections; if the old rule is deleted before the new rule is added and you don't have asp rule-engine transactional-commit access-group turned on or you don't submit the commands all at once.

-- Jim Leinweber, WI State Lab of Hygiene

bstern000 · ‎07-08-2015

Thank you for the information, what qualifies as "all at once"? Would executing these commands as a script provide no human-noticeable interruption of service?

James Leinweber · ‎07-09-2015

Beats me, alas. If I had to guess, each individual line of config change probably ends up as its own separate transaction. I work with fairly small (low thousands of lines), fairly stable (low changes per week) configurations and scheduled maintenance windows where it isn't an issue for me, luckily.

If you absolutely need no interruption I'd go with both rizwanr74's good advice to add the new permit before deleting the old one, plus (if applicable to your firmware version) the asp rule-engine thing.

-- Jim Leinweber, WI State