Solved: NAT/ACL Naming "Best Practices or Tips"

Delmiro Campelo · ‎06-10-2013

Hello Support Community,

I'm about to embark on a migration of servers from another firewall vendor into the Cisco ASAs (version 9.1.2). I was hoping that I could get some ideas or suggestion from the experts for some best practices for naming object and object-groups for your NAT or ACL commands? do you normally name them based on the server or service functions ? or do you normally name them based on the IP address that they are using? If you have any samples that you could share that would be great! I'm just looking for things to spark ideas

I appreciate your help and time

Delmiro

Julio Carvajal · ‎06-10-2013

Hello Delmiro,

Well that depends on you,

I mean as a TAC engineer dealing with different customer networks everyday for me it's easier to see object groups that are named via IP addresses ( because then I do not need to look inside the object to get the IP).

But I guess that if I were the network admin of a company, then I should be really aware of the entire network devices, so the names would help at the time of configuring, troubleshooting it would be way faster and easier,

Do you see my point here

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-10-2013

Hello Delmiro,

Well that depends on you,

I mean as a TAC engineer dealing with different customer networks everyday for me it's easier to see object groups that are named via IP addresses ( because then I do not need to look inside the object to get the IP).

But I guess that if I were the network admin of a company, then I should be really aware of the entire network devices, so the names would help at the time of configuring, troubleshooting it would be way faster and easier,

Do you see my point here

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Delmiro Campelo · ‎06-11-2013

thanks Julio

Jouni Forss · ‎06-11-2013

Hi,

I would also say that my personal preference is to use CAPS/Capital letters completely on the ASA "object" / "object-group" / "access-list" / etc name configurations.

Interfaces I tend to name with small letters and try to keep them short while having possible additional information related to the interface under the "description" field of the interface.

The reason for using CAPS in the names of all configured objects is the basic fact that most if not all ASA configuration parameters are shown with small letters. Having all the created objects named with CAPS makes them easier to read (for me personally atleast) and separates them nicely from actual configuration commands.

I do mix IP addresses in the names of the objects but I tend to limit the use of those since when used a lot makes the configuration harder to read in my opinion.

In the end your specific setup comes down to the complexity/size of the current network and the possible future network.

- Jouni

Delmiro Campelo · ‎06-11-2013

Thanks Jouni for sharing that tip!