topic Hi, Glad to hear you got it in Network Security

corrupt access-list remarks - how to clean up?

Bengt Nilsson — Tue, 12 Mar 2019 04:27:36 GMT

Hi!

I have a Cisco 5505 firewall.

By mistake I have entered access list remarks using international characters.
Apparently, this is not handled well by the 5505. It is not possible to remove or change these remarks using the ASDM app.
The only other way (I know) to remove a remark is to connect in cli mode and enable/configure terminal and write, e.g.

no access-list outside_access_in line 61 remark myRemark

If the string "myRemark" is not recognized by the system, it will not be removed.

Since the string in my case is not possible to describe to the system, I cannot remove it.

I entered the remark string using ADSM, and the characters were translated to something that is unknown to me.

Is there any way to remove a remark without specifying the exact content?

Hi, It seems to me that the

Jouni Forss — Fri, 11 Jul 2014 14:42:31 GMT

Hi,

It seems to me that the ASA does not have a CLI command that would let you simply tell it what "line" to remove from the ACL. It seems to want the actual text/comment written after the "remark" too.

You could consider doing the following

Create a identical ACL with all the "remark" lines corrected or removed
Attach this ACL to the interface in question with "access-group" command
Remove the old (now unused ACL) with the command "clear configure access-list <acl name>"
Rename the new ACL attached to the interface with the command "access-list <current acl name> rename <new acl name>". This should let you rename the ACL to the same name it originally had

EDIT: Just to clarify a bit. The command "clear configure access-list <acl name>" will remove the whole ACL which name you give in the command.

Hope this helps 🙂

- Jouni

Through CLI you can do by

nkarthikeyan — Sat, 12 Jul 2014 08:20:47 GMT

Through CLI you can do by deleting the specified access-list line and inserting a modified access-list line in that place....

As per my knowledge you cannot do as you think.... for removing the access-list line you have to give the exact content of the ACL line.... else it will not get removed.....

In case if you have problem in removing through CLI as well.... then you can create a new ACL matching all the entries same as the existing one with a different name and then you can tag that to an interface.... and then you can delete the old acl name or you can rename the old acl to new acl and new acl to old acl.....

Regards

Karthik

Thanks for the suggestions.I

Bengt Nilsson — Mon, 14 Jul 2014 10:15:00 GMT

Thanks for the suggestions.

I have to admit I don't know how to create a new ACL to replace the old one, the "?" help function does not seem to help me there.

Any suggestions?

Hi, Well you should be able

Jouni Forss — Mon, 14 Jul 2014 10:48:21 GMT

Hi,

Well you should be able to do it pretty easily.

You can just copy the current ACL to notepad and modify the remarks and any other sections you need to and then simply replace the ACLs name with something else than the current one.

You can view the ACL in its configuration format with the command "show run access-list <acl name>". The command "show access-list <acl name>" does show the ACL but it shows it in a format that you can't directly copy paste back to the device. (It shows the hitcounts etc.)

Lets say you have this simple ACL

access-list OUTSIDE-IN remark äöäöäöäöäöä
access-list OUTSIDE-IN permit ip host 1.1.1.1 host 2.2.2.2

Now you could copy/paste that to notepad and simply change it to (-1 added to the name and changed "remark")

access-list OUTSIDE-IN-1 remark Permit some traffic
access-list OUTSIDE-IN-1 permit ip host 1.1.1.1 host 2.2.2.2

Now that you have your new ACL with corrected "remark" configured you can replace the old ACL (identical ACL, except for the corrected information) with the new one

The below command would essentially attach the below named ACL to the interface called "outside". This will replace any ACL that is currently attached to that interface.

access-group OUTSIDE-IN-1 in interface outside

Now doing the above should mean that you now have the old OUTSIDE-IN ACL on the ASA but its not attached anywhere. This ACL is the one that has the wrong "remark" that you are trying to remove. You can now use this command to remove that ACL completely from the ASA

clear configure access-list OUTSIDE-IN

I would suggest that you backup the original ACL just incase if there is some error in the new ACL so you can compare it original one.

Now that the old ACL is removed you can rename the new ACL you made and attached to the interface with the command I mentioned

access-list OUTSIDE-IN-1 rename OUTSIDE-IN

I tested this with my own firewall and it works just fine.

To my understanding changing an ACL that is used on the firewall wont affect any active connections through the firewall as those have already been allowed through the firewall. I am not sure if there is a chance that some connection attempt could be blocked while changing the used ACL on the interface but I really doubt it can have a noticiable affect as the ACL is replaced as soon as you issue the "access-group" command with the new ACL.

Hope this helps 🙂

- Jouni

Ok, got it, I found and used

Bengt Nilsson — Mon, 14 Jul 2014 10:49:14 GMT

Ok, got it, I found and used the ADSM ACL manager.

All is ok now, thanks for your support.

Case closed.

Hi, Glad to hear you got it

Jouni Forss — Mon, 14 Jul 2014 10:51:55 GMT

Hi,

Glad to hear you got it sorted out 🙂

Please do remember to rate any helpfull answer or mark a reply as the correct answer if it answered your question.

- Jouni