06-10-2013 04:40 PM - edited 03-11-2019 06:55 PM
Hello Support Community,
I'm about to embark on a migration of servers from another firewall vendor into the Cisco ASAs (version 9.1.2). I was hoping that I could get some ideas or suggestion from the experts for some best practices for naming object and object-groups for your NAT or ACL commands? do you normally name them based on the server or service functions ? or do you normally name them based on the IP address that they are using? If you have any samples that you could share that would be great! I'm just looking for things to spark ideas
I appreciate your help and time
Delmiro
Solved! Go to Solution.
06-10-2013 08:54 PM
Hello Delmiro,
Well that depends on you,
I mean as a TAC engineer dealing with different customer networks everyday for me it's easier to see object groups that are named via IP addresses ( because then I do not need to look inside the object to get the IP).
But I guess that if I were the network admin of a company, then I should be really aware of the entire network devices, so the names would help at the time of configuring, troubleshooting it would be way faster and easier,
Do you see my point here
Julio
06-10-2013 08:54 PM
Hello Delmiro,
Well that depends on you,
I mean as a TAC engineer dealing with different customer networks everyday for me it's easier to see object groups that are named via IP addresses ( because then I do not need to look inside the object to get the IP).
But I guess that if I were the network admin of a company, then I should be really aware of the entire network devices, so the names would help at the time of configuring, troubleshooting it would be way faster and easier,
Do you see my point here
Julio
06-11-2013 04:55 AM
thanks Julio
06-11-2013 05:03 AM
Hi,
I would also say that my personal preference is to use CAPS/Capital letters completely on the ASA "object" / "object-group" / "access-list" / etc name configurations.
Interfaces I tend to name with small letters and try to keep them short while having possible additional information related to the interface under the "description" field of the interface.
The reason for using CAPS in the names of all configured objects is the basic fact that most if not all ASA configuration parameters are shown with small letters. Having all the created objects named with CAPS makes them easier to read (for me personally atleast) and separates them nicely from actual configuration commands.
I do mix IP addresses in the names of the objects but I tend to limit the use of those since when used a lot makes the configuration harder to read in my opinion.
In the end your specific setup comes down to the complexity/size of the current network and the possible future network.
- Jouni
06-11-2013 05:38 AM
Thanks Jouni for sharing that tip!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide