https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334041#M808388 <HTML><HEAD></HEAD><BODY><P>Chris</P><P></P><P>Yes that would work as well, just make sure you get the line numbers correct or you could allow when you mean to deny and vice-versa.</P><P></P><P>Jon</P></BODY></HTML> Wed, 14 Oct 2009 14:42:09 GMT Jon Marshall 2009-10-14T14:42:09Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334038#M808323 <P>What's the best way you have found to temporarily disable certain rules in an ASA config (8.2.1). AFAIK there is no way to comment out a line in an ACL....So if we have a SQL connection that we need to open up from time to time (but are not comfortable leaving open permanently) whats the best way to do this?</P><P></P><P></P> Mon, 11 Mar 2019 16:25:57 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334038#M808323 slug420 2019-03-11T16:25:57Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334039#M808341 <HTML><HEAD></HEAD><BODY><P>Chris</P><P></P><P>2 ways that i have used</P><P></P><P>1) have a copy of the acl with a different name in the config and without the SQL line and then simply apply whichever acl you want to use at the time to the relevant interface</P><P></P><P>2) You can specify line numbers in acls so you can do </P><P></P><P>no access-list <ACL-NAME> line <LINE no=""> SQL rule </LINE></ACL-NAME></P><P></P><P>and then when you want to allow it simply add it back in </P><P></P><P>access-list <ACL-NAME> line <LINE no=""> SQL rule</LINE></ACL-NAME></P><P></P><P>Jon</P></BODY></HTML> Wed, 14 Oct 2009 14:05:34 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334039#M808341 Jon Marshall 2009-10-14T14:05:34Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334040#M808365 <HTML><HEAD></HEAD><BODY><P>Actually you just gave me another idea....</P><P></P><P>Maybe I will put it in the ACL as line 10 or something and then put the same rule with a deny action as line 9. When I want to use it I remove the deny, and when I am done I re-add the deny (which is simple since im just copying the existing line and changing permit to deny)</P></BODY></HTML> Wed, 14 Oct 2009 14:33:06 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334040#M808365 slug420 2009-10-14T14:33:06Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334041#M808388 <HTML><HEAD></HEAD><BODY><P>Chris</P><P></P><P>Yes that would work as well, just make sure you get the line numbers correct or you could allow when you mean to deny and vice-versa.</P><P></P><P>Jon</P></BODY></HTML> Wed, 14 Oct 2009 14:42:09 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334041#M808388 Jon Marshall 2009-10-14T14:42:09Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334042#M808409 <HTML><HEAD></HEAD><BODY><P>In 8.x you have the ability to disable certain aces. </P></BODY></HTML> Wed, 14 Oct 2009 16:14:17 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334042#M808409 jeromecandiff 2009-10-14T16:14:17Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334043#M808433 <HTML><HEAD></HEAD><BODY><P>how?</P></BODY></HTML> Wed, 14 Oct 2009 16:43:38 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334043#M808433 slug420 2009-10-14T16:43:38Z https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334044#M808452 <HTML><HEAD></HEAD><BODY><P>found it:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1540321" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1540321</A></P><P></P><P>inactive</P><P> </P><P></P><P>(Optional) Disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make reenabling easier. </P><P></P><P></P><P>cool</P><P></P><P></P></BODY></HTML> Wed, 14 Oct 2009 16:47:23 GMT https://community.cisco.com/t5/network-security/temporarily-disable-rules/m-p/1334044#M808452 slug420 2009-10-14T16:47:23Z