topic Re: Line numder in ACL in Network Security

Line numder in ACL

mahesh18 — Tue, 12 Mar 2019 01:34:16 GMT

Hi all,

I need to add new ACL to ASA by command line.

For interface say x there are 50 lines of ACL.

if i make new acl and do not put any line number where it will show up ?

At bottom of all ACL?Will it work?

I want this ACL after line number 15 but there is already another ACL with line number 16.

So need to know how can i add this ACL to existing ACL list to make it work?

Thanks

Mahesh

Re: Line numder in ACL

Jouni Forss — Wed, 24 Apr 2013 17:53:10 GMT

Hi Mahesh,

If you want to add a single ACL rule (usually called ACE = Access Rule Entry) to an existing ACL then that will work just fine.

You say you want to add an ACE to the line 16 of an existing ACL. This is no problem

Lets say you want to add this ACE

access-list INSIDE-IN permit ip host 10.10.10.10 host 20.20.20.20

If you instead wanted to add this to the line 16 of the ACL INSIDE-IN then you would enter it like this

access-list INSIDE-IN line 16 permit ip host 10.10.10.10 host 20.20.20.20

This WONT remove the old line 16 rule. It will simply move that rule to line 17. The same is naturally done for every rule after this new created rule.

- Jouni

Re: Line numder in ACL

Jouni Forss — Wed, 24 Apr 2013 17:55:14 GMT

Also,

If you add an ACE to an ACL without any line number then it will simply be added to the bottom of the ACL.

Wether it will work will depend if any ACE before it would deny the connection we are trying to allow.

- Jouni

Line numder in ACL

mahesh18 — Wed, 24 Apr 2013 18:05:39 GMT

Hi Jouni,

So on line number 16 i want to add another subnet with new ACL.

So i can add using CLI by using

access-list INSIDE-IN line 15 permit ip host 10.10.10.10 host 20.20.20.20.

Then the new ACL with new IP allowed will show up in line number 16?

Thanks

MAhesh

Re: Line numder in ACL

Jouni Forss — Wed, 24 Apr 2013 18:17:38 GMT

Hi,

If you want to add a new ACE to the ACL to line 16 then you will insert it in line 16.

This WONT remove the previous line 16 rule. It will move that rule one line further which would mean line 17.

Take this example from my ASA

I created the following ACL

ASA(config)# sh access-list EXAMPLE

access-list EXAMPLE; 21 elements; name hash: 0xdf5404f2

access-list EXAMPLE line 1 extended permit ip host 10.0.0.100 any (hitcnt=0) 0x80cf5155

access-list EXAMPLE line 2 extended permit ip host 10.0.0.101 any (hitcnt=0) 0x17dfe659

access-list EXAMPLE line 3 extended permit ip host 10.0.0.102 any (hitcnt=0) 0x2946abad

access-list EXAMPLE line 4 extended permit ip host 10.0.0.103 any (hitcnt=0) 0x569a394a

access-list EXAMPLE line 5 extended permit ip host 10.0.0.104 any (hitcnt=0) 0x034dbc34

access-list EXAMPLE line 6 extended permit ip host 10.0.0.105 any (hitcnt=0) 0x4f8d468f

access-list EXAMPLE line 7 extended permit ip host 10.0.0.106 any (hitcnt=0) 0xb34cc256

access-list EXAMPLE line 8 extended permit ip host 10.0.0.107 any (hitcnt=0) 0x7d5fa818

access-list EXAMPLE line 9 extended permit ip host 10.0.0.108 any (hitcnt=0) 0x1a8d1358

access-list EXAMPLE line 10 extended permit ip host 10.0.0.109 any (hitcnt=0) 0x1244eab3

access-list EXAMPLE line 11 extended permit ip host 10.0.0.110 any (hitcnt=0) 0x29aaf5ba

access-list EXAMPLE line 12 extended permit ip host 10.0.0.111 any (hitcnt=0) 0x44555dea

access-list EXAMPLE line 13 extended permit ip host 10.0.0.112 any (hitcnt=0) 0x5187082b

access-list EXAMPLE line 14 extended permit ip host 10.0.0.113 any (hitcnt=0) 0xd86254f1

access-list EXAMPLE line 15 extended permit ip host 10.0.0.114 any (hitcnt=0) 0x52a4cecf

access-list EXAMPLE line 16 extended permit ip host 10.0.0.115 any (hitcnt=0) 0xcabb431e

access-list EXAMPLE line 17 extended permit ip host 10.0.0.116 any (hitcnt=0) 0xe24f375a

access-list EXAMPLE line 18 extended permit ip host 10.0.0.117 any (hitcnt=0) 0x1f2484a3

access-list EXAMPLE line 19 extended permit ip host 10.0.0.118 any (hitcnt=0) 0x8381ee37

access-list EXAMPLE line 20 extended permit ip host 10.0.0.119 any (hitcnt=0) 0xbd711724

access-list EXAMPLE line 21 extended permit ip host 10.0.0.120 any (hitcnt=0) 0x18deed92

Now I want to add a new ACE to the line 16 of that ACL

I enter the following command

ASA(config)# access-list EXAMPLE line 16 permit ip host 10.0.0.254 any

Now I check what the same ACL looks like

ASA(config)# sh access-list EXAMPLE

access-list EXAMPLE; 22 elements; name hash: 0xdf5404f2