Cisco ASA - Delete or rename "names"

laf
8 years ago
I had a bad experience with Cisco ASA when changing/renaming "nameif" interface attributes.
I would like to know if renaming or simply deleting existing names used in ASA config will do any damage to the configuration.
8 Points 0 Comments Share
Mike Pennington Turn off AdBlock to see the correct answer
8 years ago
..

This site survives thanks to advertising. Disable AdBlock to see the whole correct answer at no cost!
We promise you will not find boring advertisements. Find out how to disable Adblock by clicking on this link.
Remember to update the page once you have disabled it.
12 Points 3 Comments
laf 8 years ago
Thank you, good to know it. Still I am concern about deleting the names. E.g. names name 10.16.146.10 FTP-Server
laf 8 years ago
One little question: do you happen to know since when this feature was added? I run 8.0.4 on the present device.
Mike Pennington 8 years ago
According to the ASA 8.0 nameif docs, it works in 8.0 too

I would like to know if renaming or simply deleting existing names used in ASA config will do any damage to the configuration.

You can safely delete and add name aliases because the ASA reverts to the IP address when the name disappears...

The original alias is Xbox...

asa5505(config)# sh runn | i Xbox
name 172.16.1.20 Xbox description Xbox
access-list INSIDE_in extended permit udp host Xbox any eq domain
access-list INSIDE_in extended permit tcp host Xbox any eq domain
access-list INSIDE_in extended permit udp host Xbox any eq 3074
access-list INSIDE_in extended permit tcp host Xbox any eq 3074
access-list INSIDE_in extended permit udp host Xbox any eq 88

Now deleting Xbox

asa5505(config)# no name 172.16.1.20 Xbox
asa5505(config)# sh runn | i 172.16.1.20
access-list INSIDE_in extended permit udp host 172.16.1.20 any eq domain
access-list INSIDE_in extended permit tcp host 172.16.1.20 any eq domain
access-list INSIDE_in extended permit udp host 172.16.1.20 any eq 3074
access-list INSIDE_in extended permit tcp host 172.16.1.20 any eq 3074
access-list INSIDE_in extended permit udp host 172.16.1.20 any eq 88
asa5505(config)#

And adding Xbox-new on the same address...

asa5505(config)# name 172.16.1.20 XBox-new descr temporary example
asa5505(config)# sh runn | i 172.16.1.20
name 172.16.1.20 XBox-new description temporary example
asa5505(config)# sh runn | i XBox
name 172.16.1.20 XBox-new description temporary example
access-list INSIDE_in extended permit udp host XBox-new any eq domain
access-list INSIDE_in extended permit tcp host XBox-new any eq domain
access-list INSIDE_in extended permit udp host XBox-new any eq 3074
access-list INSIDE_in extended permit tcp host XBox-new any eq 3074
access-list INSIDE_in extended permit udp host XBox-new any eq 88
asa5505(config)#

Bonus material: renaming a nameif

I had a bad experience with Cisco ASA when changing/renaming "nameif" interface attributes.

Renaming nameif on an interface works just fine in ASA 8.2(5)... This is an example of changing nameif OUTSIDE to nameif newOUTSIDE

asa5505# sh nameif
Interface                Name                     Security
Vlan100                  OUTSIDE                    0
Vlan200                  INSIDE                   100
asa5505# sh runn | i access-group
access-group OUTSIDE_in in interface OUTSIDE
access-group INSIDE_in in interface INSIDE
asa5505# conf t
asa5505(config)# int vlan100
asa5505(config-if)# nameif newOUTSIDE
asa5505(config-if)# show nameif
Interface                Name                     Security
Vlan100                  newOUTSIDE                 0
Vlan200                  INSIDE                   100
asa5505(config-if)# sh runn | i newOUTSIDE
 nameif newOUTSIDE
mtu newOUTSIDE 1500
global (newOUTSIDE) 1 interface
access-group OUTSIDE_in in interface newOUTSIDE
ssl trust-point LOCAL_CERT_gw_200904 newOUTSIDE
asa5505(config-if)#

The ASA even renamed the interface references from OUTSIDE to newOUTSIDE automatically... TCP sessions through the FW did not drop when I did it.

WARNING

Whatever you do, do not try no nameif <something here>... it will hose your config...

asa5505(config)# int vlan100
asa5505(config-if)# no nameif OUTSIDE
asa5505(config-if)# nameif newBrokenOUTSIDE

12 Points 3 Comments Share Donate

laf 8 years ago

Thank you, good to know it. Still I am concern about deleting the names. E.g. names name 10.16.146.10 FTP-Server

laf 8 years ago

One little question: do you happen to know since when this feature was added? I run 8.0.4 on the present device.

Mike Pennington 8 years ago

According to the ASA 8.0 nameif docs, it works in 8.0 too

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used

cisco cisco-asa firewall