ACL - Inserting New Line Between Existing Lines

Alexander Deems · ‎04-28-2011

I am in the middle of editing a few long ACLs that were created before my time. What I noticed is that when they were orginially created each line was created in intervals of 1. I know that I can copy the ACL out modify each line to be in intervals of 10, but it got me wondering if there was any other way to modify the ACL to add a line in between 3 and 4?

Thank you,

Alex

Maykol Rojas · ‎04-28-2011

Hi,

I think I understand, here is an example:

ciscoasa(config)# access-list 100 permit tcp any any eq 81
ciscoasa(config)# access-list 100 permit tcp any any eq 82
ciscoasa(config)# access-list 100 permit tcp any any eq 84

ciscoasa(config)# sh run access-list 100
access-list 100 extended permit tcp any any eq 81
access-list 100 extended permit tcp any any eq 82
access-list 100 extended permit tcp any any eq 84

Inserting tcp any any eq 83

ciscoasa(config)# access-list 100 line 3 permit tcp any any eq 83

ciscoasa(config)# sh run access-list 100
access-list 100 extended permit tcp any any eq 81
access-list 100 extended permit tcp any any eq 82
access-list 100 extended permit tcp any any eq 83
access-list 100 extended permit tcp any any eq 84

Let me know if thats what you meant.

Mike

Alexander Deems · ‎04-29-2011

No that is not what I am talking about. Let me give you an example.

Here is the current configuration:

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 2 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 83

I need to enter a new rule in between line 1 and 2 to deny this traffic so it should look like this:

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 2 deny tcp 10.1.1.0 any eq 81

ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 4 permit tcp any any eq 83

I am wondering if there is a way to do this, but I don't think there is any way to insert the line in between line 1 and 2 without copying the whole ACL out of the configuration, modfiy the line numbering and then go into the ASA and remove the old ACL and add the new ACL.

Thank you,

Alex

Maykol Rojas · ‎04-29-2011

Alex,

The only thing that you need to do is use the line command, if you want to add a line between 1 and 2, you can just put one ACE with the line that you want, for example, you have the following ACL

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 4 permit tcp any any eq 83

And you want to enter a new rule in between line 1 and 2 to deny this traffic so it should look like this:

Wha you need to do is just to add the following line

ciscoasa(config)# access-list acl_outside line 2 deny tcp 10.1.1.0 any eq 81

You dont have to re-do all your ACL, that is why you have the option of the line command when creating the ACL, so you can insert them wherever you want on the ACL.

Hope this makes sense.

Cheers.

Mike Rojas

Mike

Alexander Deems · ‎04-29-2011

I know how the line command works, but I am looking at how to add an entry in between two exisiting rules who's line entries are 1 and 2. There is no gap in between 1 and 2. Is there a way to insert a line between lines 1 and 2?

Currently the configuration looks like the below ACL, and I will not be able to add a line in between line 1 and 2.

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 2 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 83

What I need is for my ACL to look like the below ACL, is there a way to do that without rewriting/copying and pasting the ACL back into the configuration?

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 2 deny tcp 10.1.1.0 any eq 81

ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 4 permit tcp any any eq 83

Thank you,

Alex

Maykol Rojas · ‎04-29-2011

Alex,

That is what im telling you. I know there is no gap, but you can accomodate the line wherever you want.

If your current ACL looks like this

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 2 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 83

And you want it to look like this

ciscoasa(config)# access-list acl_outside line 1 permit tcp any any eq 81

ciscoasa(config)# access-list acl_outside line 2 deny tcp 10.1.1.0 any eq 81

ciscoasa(config)# access-list acl_outside line 3 permit tcp any any eq 82
ciscoasa(config)# access-list acl_outside line 4 permit tcp any any eq 83

Without modifying everything, the ONLY line that you need to add is the following

ciscoasa(config)# access-list acl_outside line 2 deny tcp 10.1.1.0 any eq 81

Cheers.

Mike Rojas

Mike

Dina Odeh · ‎07-17-2016

Use ASDM, you can move ACLs wherever you need ;)

More easily than CLI ...

Corey Koellein · ‎07-12-2019

I have seen ASDM corrupt the order of ACLs and the order of Remarks many times over the years. Most frequently, it will append two separate remarks (or more) to a neighboring ACL and leave a remark off of where it used to reside. The "line" parameter does not get commited to the final config that admins can SEE... but it effectively inserts whatever line you make it, at that exact line of the given-named ACL. Wish there was just an "advanced config" mode or something that showed ordered line numbers... but this works.

wissamadra · ‎07-05-2016

Works like a charm....

Thank you

rodanielb · ‎11-26-2015

I know that it's a little bit late, but maybe for other users:

ip access-list resequence

mark ahrens · ‎07-15-2016

resequence doesn't work on an ASA.