topic Re: How to add new access-list line on Cisco ASA 9.1 in Network Security

How to add new access-list line on Cisco ASA 9.1

santoshkotkar — Fri, 21 Feb 2020 16:38:22 GMT

Hello Cisco Community

We have Cisco ASA ver 9.1 and very big extended access-list for different level of access.

access-list FROM_VLAN18 line 1 remark ------ PLC SHREDDER TO ACCESS VLAN 17 ------
access-list FROM_VLAN18 line 2 extended permit tcp object-group SHREDDER_PLC host 10.0.17.63 (hitcnt=0) 0x8c721786
access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.50 host 10.0.17.63 (hitcnt=500) 0x8bf3ecdf
access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.51 host 10.0.17.63 (hitcnt=150) 0x3ee92951
access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.52 host 10.0.17.63 (hitcnt=50) 0x8250cb8f
access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.53 host 10.0.17.63 (hitcnt=700) 0x9f4f3a59
access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.54 host 10.0.17.63 (hitcnt=300) 0x4fbc2c93
access-list FROM_VLAN18 line 3 remark ---------- END ----------
access-list FROM_VLAN18 line 4 remark ------ Shredder PLC to LVNCitect1 PMO 5253 ------
access-list FROM_VLAN18 line 5 extended permit ip object shredder_plc object lvn-citect1 (hitcnt=0) 0x9c09638b
access-list FROM_VLAN18 line 5 extended permit ip host 10.0.18.52 host 10.0.17.6 (hitcnt=0) 0x9c09638b
access-list FROM_VLAN18 line 6 remark ---------- END ---------
access-list FROM_VLAN18 line 7 remark ------ 10.0.18.52 TO 10.0.17.105 Marval 577574 ------
access-list FROM_VLAN18 line 8 extended permit tcp object shredder_plc host 10.0.17.105 (hitcnt=0) 0xce7fed6b
access-list FROM_VLAN18 line 8 extended permit tcp host 10.0.18.52 host 10.0.17.105 (hitcnt=0) 0xce7fed6b
access-list FROM_VLAN18 line 9 remark ---------- END ----------
access-list FROM_VLAN18 line 10 remark --------- Meltshop Citect Server corporate interface access Shredder PLC - Marval 927566 --------
access-list FROM_VLAN18 line 11 extended permit tcp object shredder_plc object corp_citect_1 (hitcnt=0) 0xac86937a
access-list FROM_VLAN18 line 11 extended permit tcp host 10.0.18.52 host 10.0.15.18 (hitcnt=0) 0xac86937a
access-list FROM_VLAN18 line 12 remark ---------- END ---------

These line numbers are continues, no gap. I need to add one access line in between, anyone know how to do that ?

Re: How to add new access-list line on Cisco ASA 9.1

Mohammed al Baqari — Tue, 08 Jan 2019 04:49:13 GMT

Just add the line number you want and it will push all other lines down.

for example:

access-list acl-test line 19 permit ip host 1.1.1.1 any
access-list acl-test line 20 permit ip host 2.2.2.2 any

then you can add line 20 which will make old-20 as 21

access-list acl-test line 19 permit ip host 1.1.1.1 any
access-list acl-test line 20 permit ip host 3.3.3.3 any
access-list acl-test line 21 permit ip host 2.2.2.2 any

Re: How to add new access-list line on Cisco ASA 9.1

Kasun Bandara — Tue, 08 Jan 2019 04:53:54 GMT

Hi Santhosh,

option 1 -

you can use normal ACL command with line number. it will add the ACE to mentioned place.

for ex .

ciscoasa(config)# access-list acl_name line 3 deny ip 192.168.1.0 any

this will add a new line to place 3.

option 2 -

you can easily add the ACE with ASDM and move that to relevant place with arrow buttons.

*** Pls rate all useful responses ***
Good Luck

Re: How to add new access-list line on Cisco ASA 9.1

santoshkotkar — Tue, 08 Jan 2019 05:08:00 GMT

Hi Mohammed

Thanks for your reply on query, so just to double check as this is production ASA 🙂

So the new ACE which we are adding will not overwrite on current line, it will push all other lines to next numbers.

Is that correct ?

thanks

Santosh

Re: How to add new access-list line on Cisco ASA 9.1

Mohammed al Baqari — Tue, 08 Jan 2019 05:27:13 GMT

100% correct.

**** Please remember to rate useful posts

Re: How to add new access-list line on Cisco ASA 9.1

santoshkotkar — Tue, 08 Jan 2019 05:32:42 GMT

Thanks for your reply Kasun.

I will go with option 1 as ASDM is not working on that ASA, that's another issues.

Re: How to add new access-list line on Cisco ASA 9.1

Kasun Bandara — Tue, 08 Jan 2019 05:44:25 GMT

Hi,
if you have issues with ASDM setup, use below guide for reference.
http://www.microsolutions.com.lk/configure-cisco-asdm-at-initial-install-cisco-asa-firewall/
*** Pls rate all useful responses ***
Good Luck