Solved: Re: ASA 9.12 how to remove an ACL line

ivanDmi · ‎03-20-2024

Hi All

Have just come across an odd problem. Need to remove couple of lines from an existing ACL, however, there seem to be a limitation of some sort as there's no option to specify the ACL name, this is ASA 9.12 (same on 9.14, 9.16):

(config)# no access-list ?

configure mode commands/options:
alert-interval Specify the alert interval for generating syslog message
                  106001 which alerts that the system has reached a deny flow
                  maximum. If not specified, the default value is 300 sec
deny-flow-max   Specify the maximum number of concurrent deny flows that can
                  be created. If not specified, the default value is 4096

At the same time, a 9.0 ASA works as expected:

(config)# no access-list ?

configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096

There seem to be no differences in AAA config, I access both ASA with privilege level 15.

To make things even more complicated, I can modify ACLs via ASDM and with "preview commands" option selected, the ASDM seem to generate lines exactly as expected, i.e. "no access-list TEST-ACL extended permit tcp any any eq https"

Thanks!

Aref Alsouqi · ‎03-21-2024

Did you actually try to type in the whole command even if it's weirdly not showing you the access list option? based on Cisco doc it should still work in the same way on 9.12:

CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.12 - Access Control Lists [Cisco ASA 5500-X Series Firewalls] - Cisco

View solution in original post

MHM Cisco World · ‎03-20-2024

Try use inactive first then remove the ACL line

MHM

MHM Cisco World · ‎03-21-2024

I check in my lab with and without inactive the NAME of ACL must appear
so try reboot the ASA and check again or use inactive only without remove ACL

MHM

ivanDmi · ‎03-21-2024

Hi MHM, thanks for your reply. "inactive" didnt make a difference and a reboot unfortunately isn't an option in this environment. However, as suggested in the below response, entering the full "no access-list ...." command blindly works.

Cheers

MHM Cisco World · ‎03-21-2024

I glad your issue is solved

And as you mentioned it can be cosmetic bug.

Have a nice day friend

MHM

Aref Alsouqi · ‎03-21-2024

Did you actually try to type in the whole command even if it's weirdly not showing you the access list option? based on Cisco doc it should still work in the same way on 9.12:

CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.12 - Access Control Lists [Cisco ASA 5500-X Series Firewalls] - Cisco

ivanDmi · ‎03-21-2024

Hi Aref,

Thanks for your response.

Typing the full "no access-list ACLNAME parameters" actually worked and the ACL line gets removed as expected. I thought I tried it and it failed but perhaps I made a typo then.

Still odd why the WORD option isn't appearing and also autofill is not working when something like this is tried:
asa(config)# no access-list ACLNAME ?
ERROR: % Unrecognized command

Guess a bug dropped in somewhere between 9.0 and 9.12..

Cheers

AHack210 · ‎03-21-2024

Hi,

Try

show run access-list

And see what you actually have on the device.

HTH,

-A

ivanDmi · ‎03-21-2024

Hi AHack210, thanks for your reply. That I tried and ACLs are present and look completely normal.

Oddly enough, entering the full "no access-list ...." command blindly works as expected though. Gonna have to settle for this.

Cheers