https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189071#M1065865 I figured as much. This is why you don't use ASDM for all your firewall configuration. Mon, 25 Sep 2017 14:04:07 GMT Steven Williams 2017-09-25T14:04:07Z https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3188975#M1065861 <P>So I am in this dilema where the person before me configured our internet ASA using all ASDM, so its hard to figure out what is what in the CLI since all I see is DM_INLINE_blah.</P><P>&nbsp;</P><P>for example:</P><P>&nbsp;</P><P>access-list INSIDE_access_in line 15 extended permit object-group DM_INLINE_SERVICE_6 object-group DM_INLINE_NETWORK_9 any log informational interval 300 0x0aef5baa<BR />access-list INSIDE_access_in line 15 extended permit tcp 10.0.0.0 255.0.0.0 any eq 1935 log informational interval 300 (hitcnt=2013) 0x8fb5bf4b<BR />access-list INSIDE_access_in line 15 extended permit tcp ALL_172.16 255.255.0.0 any eq 1935 log informational interval 300 (hitcnt=0) 0x4f0c2f97<BR />access-list INSIDE_access_in line 15 extended permit tcp ALL_172.26 255.255.0.0 any eq 1935 log informational interval 300 (hitcnt=0) 0x6e98f459<BR />access-list INSIDE_access_in line 15 extended permit tcp 192.168.0.0 255.255.0.0 any eq 1935 log informational interval 300 (hitcnt=0) 0xb2262918</P><P>&nbsp;</P><P>As you can see some lines do not have hit counts and I want to remove them. Can I do this line by line or is going to mess something up?</P><P>&nbsp;</P><P>Can I do a "no&nbsp;&nbsp;access-list INSIDE_access_in line 15 extended permit tcp 192.168.0.0 255.255.0.0 any eq 1935"and have it take out that one line only?</P><P>&nbsp;</P><P>Oh to make it better this is Code 8.2 &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 21 Feb 2020 14:21:30 GMT https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3188975#M1065861 Steven Williams 2020-02-21T14:21:30Z https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189043#M1065862 <P>Hi Steven,</P><P>&nbsp;</P><P>Run the following command to check which subnets are there in the object-group:&nbsp;</P><P><STRONG>show run object-group id DM_INLINE_NETWORK_9</STRONG></P><P>&nbsp;</P><P><SPAN>Then remove those are not required as below:</SPAN></P><P>&nbsp;</P><P><STRONG><SPAN>object-group network DM_INLINE_NETWORK_9</SPAN></STRONG></P><P><STRONG>&nbsp;no network-object 192.168.0.0 255.255.0.0</STRONG></P><P>&nbsp;</P><P>"no" in front of network-object will remove subnet from the object, so in this way the ACL line will also be removed.</P> Mon, 25 Sep 2017 13:30:39 GMT https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189043#M1065862 Spooster IT Services 2017-09-25T13:30:39Z https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189067#M1065863 The issue with removing the network object is that the acl has multiple ports tied to it. So while 192.168.0.0 255.255.0.0 may not be using port 80 its using port 1433 in the same ACE. Mon, 25 Sep 2017 13:59:33 GMT https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189067#M1065863 Steven Williams 2017-09-25T13:59:33Z https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189070#M1065864 <P>Hi Steven,</P><P>&nbsp;</P><P>In this case you need to create multiple object-group for ports and define accordingly.</P><P>But there is no way to delete a single ACE without removing subnet from object group.</P> Mon, 25 Sep 2017 14:02:37 GMT https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189070#M1065864 Spooster IT Services 2017-09-25T14:02:37Z https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189071#M1065865 I figured as much. This is why you don't use ASDM for all your firewall configuration. Mon, 25 Sep 2017 14:04:07 GMT https://community.cisco.com/t5/network-security/asa-removing-acl-lines/m-p/3189071#M1065865 Steven Williams 2017-09-25T14:04:07Z