07-29-2010 03:28 AM - edited 03-11-2019 11:17 AM
Hi all,
I am having difficulty finding the commands to enable me to resequence an access-list on an ASA 5550. My access list now looks like this:
access-list Outside_access_in line 1 extended permit udp *********
access-list Outside_access_in line 1 extended permit udp *********
access-list Outside_access_in line 1 extended permit udp *********
access-list Outside_access_in line 2 extended permit tcp *********
access-list Outside_access_in line 2 extended permit tcp *********
access-list Outside_access_in line 2 extended permit tcp *********
access-list Outside_access_in line 3 extended permit ip *********
access-list Outside_access_in line 3 extended permit ip *********
access-list Outside_access_in line 3 extended permit ip *********
access-list Outside_access_in line 4 extended permit ip *********
access-list Outside_access_in line 5 extended permit udp *********
access-list Outside_access_in line 6 extended permit udp *********
access-list Outside_access_in line 7 extended permit udp *********
access-list Outside_access_in line 8 extended permit ip *********
access-list Outside_access_in line 9 extended permit ip *********
access-list Outside_access_in line 10 extended permit udp *********
access-list Outside_access_in line 11 extended permit icmp *********
access-list Outside_access_in line 12 extended deny ip any any (hitcnt=319552) 0xd80e9958
Can anyone help me with this?
Many Thanks
Mark
Solved! Go to Solution.
07-29-2010 04:57 AM
Unfortunately there is no resequence feature on ASA.
07-29-2010 04:22 AM
What do you mean by resequence the ACL?
Here is what you can actually do: for example if you would like to move line 10 to line 2, you would do the following:
no access-list Outside_access_in line 10 extended permit udp *********
access-list Outside_access_in line 2 extended permit udp *********
Basically, it will remove line 10, and slot line 10 that you just remove to line 2. Unfortunately you have to remove that line of ACL and configure it back on the line number that you wish. There is no moving from line# blah to line# blah feature unfortunately.
Hope that helps.
07-29-2010 04:35 AM
Hi Halijenn,
On the Router platform you can issue the command ip access-list resequence access-list Outside_access_in and the access-list is resequenced line 10, 20, 30 etc, without manually moving all of the statements. I was hoping there would be a similar command on the ASA platform to save any "finger trouble"
Many Thanks
Cheers
Mark
07-29-2010 04:57 AM
Unfortunately there is no resequence feature on ASA.
07-29-2010 05:06 AM
Hi Halijenn,
Many Thanks, I will manually do this. Thanks for your assistance.
Kind Regards
Mark
02-16-2016 05:25 AM
Just type the command you want, it will overwrite it, and shunt the rest down the sequence.
so ACL reads:
access-list OUT line 1 extended permit tcp any any
access-list OUT line 2 extended permit icmp any any
access-list OUT line 3 extended permit udp any any
write the line:
conf t
access-list OUT line 1 extended deny ip any any
Will insert, and put rest down.
access-list OUT line 1 extended deny ip any any (hitcnt=0) 0x05e95084
access-list OUT line 2 extended permit tcp any any (hitcnt=435134) 0xa4336395
access-list OUT line 3 extended permit icmp any any (hitcnt=985912) 0x754589b8
access-list OUT line 4 extended permit udp any any (hitcnt=196421) 0x4e49d000
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide