topic Re: Cannot delete a line from an Access-List in Network Security

Cannot delete a line from an Access-List

Nathan Hawkins — Tue, 12 Mar 2019 01:03:22 GMT

Hello All,

I'm trying to eliminate some hitcount 0 ACLs, and I'm getting the error "Specified access-list does not exist" when I try. Here's the ACL I'm working with:

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3

access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259

access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227

access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545

access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958 access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3
access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06
access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d
access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265
access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259
access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227
access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545
access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958

As a test I'm trying to delete the 2nd line down "access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any" by issuing the command "no access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any". When I try to do so I get the error "Specified access-list does not exist"...

So what do I do to remove that line?

Re: Cannot delete a line from an Access-List

Jouni Forss — Wed, 20 Feb 2013 18:36:54 GMT

Hi,

The actual configuration lines are

access-list acl_DMZ extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list acl_DMZ extended permit icmp any any object-group DefaultICMP

With the command "show access-list acl_DMZ" you get the opened format of the ACL which shows all the addresses/networks under the "object-groups"

So to only remove the line

access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any

You would actually have to do this

object-group networkDM_INLINE_NETWORK_3

no network-object 10.11.12.0 255.255.255.0

Then the single line would be removed. Notice though that if the above mentioned object-group is used in some other ACL rule too then the above network would be removed from there too.

- Jouni

Cannot delete a line from an Access-List

Nathan Hawkins — Wed, 20 Feb 2013 18:59:56 GMT

Well, that doesnt address what I'm trying to do. I'm actually trying to (on a larger scale) remove several hitcount 0 ACLs, and I cannot remove an object from an object group without affecting access on other rules/ACLs. So given the below ACL:

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3

access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259

access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227

access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545

How do I remove select lines from an ACL?

Re: Cannot delete a line from an Access-List

Jouni Forss — Wed, 20 Feb 2013 19:10:45 GMT

Hi,

I think there is no really clear and easy way to remove the rule without also adding something.

When we consider that we have this configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

And that in opened format its shown like this (also noticiable by all of the lines having the same line number)

access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

There is no other way of removing the single line from the above other than removing the network-object from under the "object-group". Naturally this might not be possible if the object is used somewhere else also?

The solution in this case would therefore be that you add ACL rules for the above 2 rules you want to still keep (naturally you can add the "line x" to the below configuration)

access-list acl_DMZ permit ip 192.168.1.0 255.255.255.0 any

access-list acl_DMZ permit ip 192.168.254.0 255.255.255.0 any

And finally remove the configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

After this you would be left with the above configured 2 lines (without using the "object-group") and the line you wanted to remove would not be part of the rules anymore.

I dont think there is any other way of doing this since we are talking about an ACL ACE (Access Rule Entry) that uses an "object-group". Naturally for (hitcount=0) rules that dont use "object-group" you can just delete with the "no" parameter in front.

- Jouni

Cannot delete a line from an Access-List

Nathan Hawkins — Wed, 20 Feb 2013 20:03:57 GMT

The above is a test access-list. What I'm really working with is something much larger where there are a few thousand rules with hundreds of thousands of ACE's. What I think I need to do is create ACLs that are the ACEs that are not hitcount 0 and then delete the rule with the hitcount 0 ACE's.