Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
5
Helpful
6
Replies

Best way to apply a new ACL to an interface that has a ACL already applied

djl7780
Level 1
Level 1

‎05-01-2014 09:16 AM - edited ‎03-11-2019 09:08 PM

Hello All:

I am in the process of cleaning up an ASA 5510 that I have inherited and have a question about applying a new ACL to an interface that is working correctly now with another ACL. The main purpose is I want to change the name of the ACL an clean it up a bit. Also would making this change cause an outage of more than a few minutes?

For example let's say I have the access group below:

access-group dmzif2 in interface dmz

With an ACL:

access-list dmzif2 extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list dmzif2 extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain

I want the new one to be:

access-group DMZIF_IN in interface dmz

with ACL:

access-list DMZIF_IN extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list DMZIF_IN extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain

Can I just add the new ACL's entries and issue this statement?

access-group DMZIF_IN in interface dmz

 

Any help is greatly appreciated!

Dustin

 

 

Labels:
0 Helpful
6 Replies 6

Mark Jensen
Level 1
Level 1

‎05-01-2014 09:48 AM

Create the new ACL, then remove the old acl group statement from the interface and apply the new one, save it and you are in business fast.

0 Helpful

djl7780
Level 1
Level 1
In response to Mark Jensen

‎05-01-2014 09:56 AM

Thank you for the reply, so once the new ACL is created an added, would this be the correct commands? (sorry this is in production and I don't want to screw it up)

So add these lines:

access-list DMZIF_IN extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list DMZIF_IN extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain

Then run:

no access-group dmzif2 in interface dmz

and then run:

 

access-group DMZIF_IN in interface dmz

and all should be good to go? Also after that how do I remove the old ACL's? with "no" in front of each line, or is there a command to clear all in bulk?

 

thanks again for the help!

0 Helpful

jumora
Level 7
Level 7
In response to djl7780

‎05-01-2014 10:14 AM

FYi, rate the assistance

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to djl7780

‎05-19-2014 11:39 AM

you can clear them with "clear configure access-list <acl_name>"

 

Please rate the assistance and mark the ticket as solved or answered.

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7

‎05-01-2014 10:13 AM

Man, you are just changing the name, I don't see any improvement, but then again:

I did this on the lab, it will replace the access-group:

CHECK-THE-CHECKOUT(config)# access-list 100 permit icmp any any
CHECK-THE-CHECKOUT(config)# access-group 100 in interface outside
CHECK-THE-CHECKOUT(config)#
CHECK-THE-CHECKOUT(config)#
CHECK-THE-CHECKOUT(config)# access-list 199 permit icmp any any
CHECK-THE-CHECKOUT(config)# access-group 199 in interface outside
CHECK-THE-CHECKOUT(config)# show run access-g
access-group 199 in interface outside
 

Value our effort and rate the assistance!

djl7780
Level 1
Level 1
In response to jumora

‎05-01-2014 11:11 AM

I am also making add's/delete's as well as changing the names. There are a ton of ACL's that are no longer used, so I figured I would just start fresh. Thanks for the help!

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card