https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924710#M457988 <HTML><HEAD></HEAD><BODY><P>Hello Malikyouns,</P><P></P><P>Thanks for your feedback.</P><P>It is very helpful.</P><P></P><P>Many thanks.</P></BODY></HTML> Mon, 19 Mar 2012 12:49:44 GMT nevereturn 2012-03-19T12:49:44Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924703#M457979 <P>I have 2 two questions:</P><P></P><P>The first question:<BR />I have make an ACL entry inactive for test. For example I setup an ACL: </P><P>access-list out-in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet</P><P>access-list out-in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq www</P><P>Then, I disable the ACL entry about the telnet one:</P><P>access-list out-in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet inactive </P><P></P><P>Now, how can I re-activate the entry about the telnet one without removing and re-write the ACL?</P><P></P><P>The second question:</P><P>Can I edit the specific ACL entry like router? In this case, how can I edit the entry about telnet. such as change the source IP and destination IP?</P><P></P><P>Thanks in advance!</P> Mon, 11 Mar 2019 22:43:58 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924703#M457979 nevereturn 2019-03-11T22:43:58Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924704#M457980 <HTML><HEAD></HEAD><BODY><P>1. you just need to enter the same command without 'inactive' at the end of it, do 'sh access-list' and get an idea of line number</P><P></P><P><STRONG>access-list out-in line XX extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet</STRONG></P><P></P><P>2. Enter the command 'sh access-list', it will show all the active ACLs and the line number along with it, you will have to remove that line entry and re-add it, so say for example if you want to remove line from the following</P><P></P><P>ASA1# sh access-list</P><P>access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert-interval 300</P><P>access-list inside_in; 2 elements; name hash: 0xd3a8690b</P><P>access-list inside_in line 1 extended permit ip any any (hitcnt=0) 0xb80bc887</P><P>access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet (hitcnt=0) 0x7bf0c01d</P><P></P><P></P><P>you can</P><P></P><P>config t</P><P>no access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet</P><P>access-list inside_in line 2 extended permit tcp host <CHANGE ip=""> host <CHANGE ip=""> eq telnet</CHANGE></CHANGE></P></BODY></HTML> Mon, 19 Mar 2012 10:09:57 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924704#M457980 malikyounas 2012-03-19T10:09:57Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924705#M457981 <HTML><HEAD></HEAD><BODY><P>I've tested it. </P><P>The information you provided is very helpful.</P><P></P><P>Thanks very much!</P></BODY></HTML> Mon, 19 Mar 2012 10:37:09 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924705#M457981 nevereturn 2012-03-19T10:37:09Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924706#M457983 <HTML><HEAD></HEAD><BODY><P>Hello Malikyounas,</P><P></P><P>Sorry for another question:</P><P>I found 2 parameters after access-list <EM>name</EM>: Extended and Standard. <BR />I noticed that if I didn't define this parameter and just write the source IP, Dest IP, Protocl and so on, when I use "show access-list", it shows as an extended ACL.</P><P>So, if I don't define Extended or Standard, it will be an extended ACL by default? Or, it is related to different software version of ASA? </P><P></P><P>Thanks in advance.</P></BODY></HTML> Mon, 19 Mar 2012 11:07:56 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924706#M457983 nevereturn 2012-03-19T11:07:56Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924707#M457985 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Its better defined in this cisco doc where it says you cant use standard ACL as it only identifies the destination IP address which you can suppose is not enough for FW</P><H2 style="font-size: 15px; color: #336666; font-family: Arial, Helvetica, sans-serif; margin-bottom: 7px; margin-left: -0.1in; margin-right: 0em; margin-top: 14px; background-color: #ffffff;">Information About Standard Access Lists</H2><P> <A name="wp1077429" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-bottom: 6px; margin-left: 0em; margin-right: 0em; margin-top: 1px; background-color: #ffffff;">Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution. <STRONG>Standard access lists cannot be applied to interfaces to control traffic.</STRONG></P><P></P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_standard.html#wp1074591">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_standard.html#wp1074591</A></P></BODY></HTML> Mon, 19 Mar 2012 11:18:07 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924707#M457985 malikyounas 2012-03-19T11:18:07Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924708#M457986 <HTML><HEAD></HEAD><BODY><P>Hello malikyounas,</P><P></P><P>Thanks for the reply. Your information about standard ACLs is very helpful.</P><P>What I want to know is <STRONG>if I don't define Extended or Standard, it will be an extended ACL by default</STRONG>?</P><P></P><P>Thanks in advance.</P></BODY></HTML> Mon, 19 Mar 2012 11:50:43 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924708#M457986 nevereturn 2012-03-19T11:50:43Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924709#M457987 <HTML><HEAD></HEAD><BODY><P>it will depend on what sort of entry you are going to add, if you add just the detiantion IP, ASA will consider as Standard and if you define source and destirnation, ASA will automatically consider this as extended. </P><P></P><P>access-list cisco permit ip host 20.20.20.1 - ASA will default to standard ACL for this</P><P>access-list cisco permit ip any host 20.20.20.1 - ASA will default to Extended ACL for this</P><P></P><P>if you use use show access-list after adding both ACLs above, you will see first one as standard and second as extended.</P></BODY></HTML> Mon, 19 Mar 2012 12:14:54 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924709#M457987 malikyounas 2012-03-19T12:14:54Z https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924710#M457988 <HTML><HEAD></HEAD><BODY><P>Hello Malikyouns,</P><P></P><P>Thanks for your feedback.</P><P>It is very helpful.</P><P></P><P>Many thanks.</P></BODY></HTML> Mon, 19 Mar 2012 12:49:44 GMT https://community.cisco.com/t5/network-security/questions-about-acls-in-asa/m-p/1924710#M457988 nevereturn 2012-03-19T12:49:44Z