https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497237#M235372 <P>hi all,</P><P>i got an ASA 5520 currently in production and need to reconfigure some entries on ACL.</P><P>currently, the ACL is using IPs but I wanted to use object/alias for other admins to easily recognize the ACE.</P><P>i already have the object network created for static NAT and want to use them for my ACE.</P><P>can i do as below without causing any downtime to the user/network?</P><P>object network MY_OBJ<BR />&nbsp;host 172.27.1.2</P><P>access-list OUTSIDE extended permit ip any object MY_OBJ</P><P>no access-list OUTSIDE extended permit ip any 172.27.1.2</P> Tue, 12 Mar 2019 04:39:55 GMT johnlloyd_13 2019-03-12T04:39:55Z https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497237#M235372 <P>hi all,</P><P>i got an ASA 5520 currently in production and need to reconfigure some entries on ACL.</P><P>currently, the ACL is using IPs but I wanted to use object/alias for other admins to easily recognize the ACE.</P><P>i already have the object network created for static NAT and want to use them for my ACE.</P><P>can i do as below without causing any downtime to the user/network?</P><P>object network MY_OBJ<BR />&nbsp;host 172.27.1.2</P><P>access-list OUTSIDE extended permit ip any object MY_OBJ</P><P>no access-list OUTSIDE extended permit ip any 172.27.1.2</P> Tue, 12 Mar 2019 04:39:55 GMT https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497237#M235372 johnlloyd_13 2019-03-12T04:39:55Z https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497238#M235373 <P>Hi John,</P><P>There shouldn't be much problem..... but make sure that you prioritize the new rule with object using line numbers..... then you should be able to see hits on the new line rather than the existing line of old acl... might be the active connections will get a slight impact..... let me do a small lab and confirm you on this....</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P></P><P>Karthik</P> Fri, 22 Aug 2014 08:52:27 GMT https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497238#M235373 nkarthikeyan 2014-08-22T08:52:27Z https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497239#M235374 <P>Hi John,</P><P>&nbsp;</P><P>I did a lab on this with icmp and i do not see a ping drop when i put object acl in priority and remove the existing acl then next....</P><P>Immediately after placing the new acl line, hits started to the new acl line and old acl line hits stopped at the same moment... so there shouldn't be any problem in doing that...</P><P>&nbsp;</P><P>access-list outbound; 2 elements; name hash: 0x873017e8<BR />access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff<BR />&nbsp; access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 <STRONG>(hitcnt=7)</STRONG> 0x24731aff<BR />access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 <STRONG>(hitcnt=94) </STRONG>0x4e29395e<BR />access-list inbound; 1 elements; name hash: 0x793e9c88<BR />access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=86) 0x55127d11<BR />ciscoasa# sh access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert-interval 300<BR />access-list outbound; 2 elements; name hash: 0x873017e8<BR />access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff<BR />&nbsp; access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=18) 0x24731aff<BR />access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10<STRONG> (hitcnt=94) </STRONG>0x4e29395e<BR />access-list inbound; 1 elements; name hash: 0x793e9c88<BR />access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=97) 0x55127d11<BR />ciscoasa# sh access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert-interval 300<BR />access-list outbound; 2 elements; name hash: 0x873017e8<BR />access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff<BR />&nbsp; access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=19) 0x24731aff<BR />access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 <STRONG>(hitcnt=94) 0x4e29395e</STRONG><BR />access-list inbound; 1 elements; name hash: 0x793e9c88</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Karthik</P> Fri, 22 Aug 2014 09:27:05 GMT https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497239#M235374 nkarthikeyan 2014-08-22T09:27:05Z https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497240#M235375 <P>The easy way would be to add new ACE with Objects and login to firewall from asdm, reorder the newly added ACE above the old one where you have ip. &nbsp;Than&nbsp;monitor the hit count on that particular ace which will ensure that traffic is hitting it. &nbsp;</P><P>After you see hit count going up you can safely remove old entries... this way you should not have any down time whatsoever&nbsp;</P> Fri, 22 Aug 2014 13:22:36 GMT https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497240#M235375 Saqib Raza 2014-08-22T13:22:36Z https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497241#M235377 <P>thanks for your inputs!</P> Sat, 23 Aug 2014 13:40:11 GMT https://community.cisco.com/t5/network-security/reconfigure-ace/m-p/2497241#M235377 johnlloyd_13 2014-08-23T13:40:11Z