topic Re: Managing ACE line numbers manually in Network Security https://community.cisco.com/t5/network-security/managing-ace-line-numbers-manually/m-p/2090684#M392545 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To my understanding in Cisco firewalls line numbers are a continuous value for example from 1 - 7. There is no situation where there is line 1 and line 7 only. Only situation where you need to use line number is when you want to add something in between the existing rules and not at the bottom of them rules.</P><P></P><P> Depending on how your ACL / rules are built you might end up entering every ACE on a certain line since you might have some manually configured deny statement in the ACL.</P><P></P><P>On the Cisco routers however there is possibility to do what you are talking about in your post. In the router extended ACLs its possibility to use the sequence number to make one rule of very high value and one very low value without having something in between them</P><P></P><P>So to my knowledge this is not possible in the PIX / FWSM / ASA.</P><P></P><P>You simply need to check where you enter the new rule to keep the ACL in working order.</P><P></P><P>Heres a quote from the command reference (ASA 8.4) (same applies to FWSM)</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P><STRONG>line line-num </STRONG></P><P></P><P>(Optional) Specifies the line number at which to insert the ACE. If you do</P><P>not specify a line number, the ACE is added to the end of the access list.</P><P><STRONG>The line number is not saved in the configuration; it only specifies where</STRONG></P><P><STRONG>to insert the ACE.</STRONG></P></PRE><P></P><P>- Jouni</P></BODY></HTML> Sat, 19 Jan 2013 18:12:19 GMT Jouni Forss 2013-01-19T18:12:19Z Managing ACE line numbers manually https://community.cisco.com/t5/network-security/managing-ace-line-numbers-manually/m-p/2090683#M392542 <P>Hi,</P><P></P><P>Is it possible to manually control ACL ACE line numbers? I have FWSM 4.1(10). It appears that no matter whatever number you give for a new ACE, it is automatically added to the bottom in sequential number 5,6,7...(and not the number you give), unless it is replacing the existing ACE, which in that case pushes the original ACE to the next line number. </P><P></P><P>I want to keep an ACE at the last, with very high number (say 15000) and add new ACEs like 500, 501. Is it possible?</P><P>If it is not possible, what is the best way to make sure that a particular ACE is always at the bottom of an ACL?</P><P></P><P>Thanks much!</P> Tue, 12 Mar 2019 00:49:16 GMT https://community.cisco.com/t5/network-security/managing-ace-line-numbers-manually/m-p/2090683#M392542 S891 2019-03-12T00:49:16Z Re: Managing ACE line numbers manually https://community.cisco.com/t5/network-security/managing-ace-line-numbers-manually/m-p/2090684#M392545 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To my understanding in Cisco firewalls line numbers are a continuous value for example from 1 - 7. There is no situation where there is line 1 and line 7 only. Only situation where you need to use line number is when you want to add something in between the existing rules and not at the bottom of them rules.</P><P></P><P> Depending on how your ACL / rules are built you might end up entering every ACE on a certain line since you might have some manually configured deny statement in the ACL.</P><P></P><P>On the Cisco routers however there is possibility to do what you are talking about in your post. In the router extended ACLs its possibility to use the sequence number to make one rule of very high value and one very low value without having something in between them</P><P></P><P>So to my knowledge this is not possible in the PIX / FWSM / ASA.</P><P></P><P>You simply need to check where you enter the new rule to keep the ACL in working order.</P><P></P><P>Heres a quote from the command reference (ASA 8.4) (same applies to FWSM)</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P><STRONG>line line-num </STRONG></P><P></P><P>(Optional) Specifies the line number at which to insert the ACE. If you do</P><P>not specify a line number, the ACE is added to the end of the access list.</P><P><STRONG>The line number is not saved in the configuration; it only specifies where</STRONG></P><P><STRONG>to insert the ACE.</STRONG></P></PRE><P></P><P>- Jouni</P></BODY></HTML> Sat, 19 Jan 2013 18:12:19 GMT https://community.cisco.com/t5/network-security/managing-ace-line-numbers-manually/m-p/2090684#M392545 Jouni Forss 2013-01-19T18:12:19Z