Cisco ASA uses the names command to enable the ability to association a name with an IP address. Once you use the names command you can then use the name command to identify a host by a text name and map text strings to IP addresses. This sounds great because who can remember all the IP addresses accosiated with hosts in your network. There are some gotchas to look out for.

If you hate the lenght of your config when you do a show run command, just wait until you start using the name command.  The name entries are usally added to the top of the config and add a ton of lines to filter through. You could use the command:


     show run | exclude name


This command would not display the name entries; however you would also miss any other config lines like:

     hostame ciscoasa
     domain-name showcrypto.com

I think you get the picture. Cisco should add an option to display the config without name entries. The other annoyance I have with the names command is it's default behavior of using name values in logging.  Syslog now contains name values instead of IP addresses. Usually when I search through syslog events I do it by IP address and not by the name value in my ASA config.  To revert back to IP addresses in your logging events use this command:

     no names

If you get complteley fed up with names you can issue the following command:

     clear configure name

Using the WCCP protocol on an ASA allows you to redirect traffic to a cache-engine (bluecoat, ironport, webwasher). The main limitation of WCCP on the ASA is that it can not direct traffic across interfaces on the firewall. This means if you configure WCCP to redirect traffic on the inside interface of your firewall, you have to have your cache-engine on that same interface. If you configure WCCP and need to filter traffic on other interfaces of your ASA your only option is to use an explicit proxy configuration or add an additional cache-engine.

Click to read more ...