06-28-2014 08:32 AM - edited 03-11-2019 09:23 PM
Hi Everyone,
During our maintenance window i need to delete few interfaces from ASA.
In ASDM when i filter by these interface names i see many acl configured for these interfaces but ACL have different name as compare to interface
name.
If i delete the interface will it also delete all those ACLs and any object groups configured under interface subnets?
Or
What else will be deleted when i delete the interface from ASA?
Regards
MAhesh
Solved! Go to Solution.
06-28-2014 11:13 AM
Everything that references the interface will be deleted. So your ACLs should be fine unless you have referenced any interfaces in those access lists. for example:
access-list TEST permit tcp interface inside any eq 80 <-- this statement will still be present but the reference to "inside" will be deleted. I am testing this on version 8.4 so in later versions this line might be deleted.
All NAT statements that reference the interface will be deleted.
All service-policy configuration that references the interface will be deleted.
I would go out from the assumption that everything that references the interface that you delete will also be deleted.
--
Please remember to select a correct answer and rate helpful posts
06-28-2014 01:49 PM
You would have to re write that ACL entry as it will either be deleted or the reference to the inside interface will be deleted and the rest of the ACL will remain. When I tested it my ACL remained but the name of the interface was removed. As I mentioned I am testing this on an 8.4 box so it is possible that in newer versions this ACL will be deleted.
the access-group inside_access_in in interface inside command will be deleted once you delete the inside interface...actually you don't need to delete the inside interface for it to be deleted, you only need to remove the nameif command from the interface. once the nameif is removed from the interface, all commands that reference that name will also be deleted.
This is why I stated that you should assume that all commands that reference the name of the interface you are deleting will also be deleted. That would include, but not limited to, ACLs, NAT, Policy maps, and static routes...just to name a few.
--
Please remember to select a correct answer and rate helpful posts
06-28-2014 11:13 AM
Everything that references the interface will be deleted. So your ACLs should be fine unless you have referenced any interfaces in those access lists. for example:
access-list TEST permit tcp interface inside any eq 80 <-- this statement will still be present but the reference to "inside" will be deleted. I am testing this on version 8.4 so in later versions this line might be deleted.
All NAT statements that reference the interface will be deleted.
All service-policy configuration that references the interface will be deleted.
I would go out from the assumption that everything that references the interface that you delete will also be deleted.
--
Please remember to select a correct answer and rate helpful posts
06-28-2014 01:28 PM
Hi Marius,
When you say reference will be deleted does it mean that below ACL will be present???
access-list TEST permit tcp inside any eq 80
when i do sh access group on ASA it shows
access-group inside_access_in in interface inside
so if i delete the inside interface and do sh access-group will it still show the ACL
inside_access_in ?
Regards
MAhesh
06-28-2014 01:49 PM
You would have to re write that ACL entry as it will either be deleted or the reference to the inside interface will be deleted and the rest of the ACL will remain. When I tested it my ACL remained but the name of the interface was removed. As I mentioned I am testing this on an 8.4 box so it is possible that in newer versions this ACL will be deleted.
the access-group inside_access_in in interface inside command will be deleted once you delete the inside interface...actually you don't need to delete the inside interface for it to be deleted, you only need to remove the nameif command from the interface. once the nameif is removed from the interface, all commands that reference that name will also be deleted.
This is why I stated that you should assume that all commands that reference the name of the interface you are deleting will also be deleted. That would include, but not limited to, ACLs, NAT, Policy maps, and static routes...just to name a few.
--
Please remember to select a correct answer and rate helpful posts
06-28-2014 02:19 PM
Many thanks Marius for reply back.
Best regards
Mahesh
09-10-2018 02:07 AM
Hi Marius & gents,
Couple years later about the same question: multiple context on 9.6 I need to unassign an interface from one context and move it to another one.
I am in system execution space and about to enter:
context fw-lan
description LAN
no allocate-interface Port-channel21.6 visible
Now on fw-lan context I have a bunch of related config to this interface Port-channel21.6:
- access-group
- nat
- object groups
I am concerned of any production impact for the firewall when removing the interface from context.
Cisco documentation on 9.6 multiple context DOES not mention of any warning for the NO allocate-interface command.
Thoughts?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide