Remove "inside" interface in ASA Context mode

johnlloyd_13 · ‎09-18-2021

hi,

i got several "inside" interface that i needed to clean up in a multiple/context mode ASA.

it's been years since i did this and just would like to confirm my thoughts.

do i just remove or negate the subinterface under the 'system' context and all 'nameif' related config (ACL, NAT, routes) will be automatically removed in the context where it has been assigned to?

i just to ensure no other config/dependencies will be messed up

changeto system

context CONTEXT-A
no allocate-interface GigabitEthernet0/1.123

context CONTEXT-B
no allocate-interface GigabitEthernet0/1.456

no interface GigabitEthernet0/1.123

no interface GigabitEthernet0/1.456

Rob Ingram · ‎09-19-2021

Hi@johnlloyd_13

From my experience, if you remove/unallocate the interface from system context, the interface is removed from the context without a prompt or warning. In the context itself the interface is automatically gone, the ACL remains but is not applied to the interface. The NAT rules that reference the now removed interface are gone.

johnlloyd_13 · ‎09-20-2021

hi rob,

thanks for your feedback!

another question, if i just 'shutdown' the interface in 'system' context, will it automatically shutdown the interface in the assigned context?

or will it still show as up but no traffic will traverse?

Rob Ingram · ‎09-20-2021

Hi @johnlloyd_13

If you shutdown the interface in "system" context, the interface is shutdown (Status = down, Protocol = down) in the assigned context.