Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
3
Replies

ASA Firepower - ACL line manupulation

Go to solution
oscardenizjensen
Level 1
Level 1

‎01-02-2024 01:02 AM

Hej
I was wondering if there is a way to move a line in ACL to another line without removing it first? For example move line 3 to line 2 without deleting it first?

fw01-tgl-cph(config)# show access-list TEST
access-list TEST; 2 elements; name hash: 0xd37fdb2b
access-list TEST line 1 remark TEST
access-list TEST line 2 extended deny ip any any (hitcnt=0) 0xa887db65
access-list TEST line 3 extended permit ip host 172.16.1.1 any (hitcnt=0) 0x2546ce33

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sadks
Cisco Employee
Cisco Employee

‎01-02-2024 01:32 AM

Hi,

You can't move an existing ACE to another line as you will get the following error:

ASA(config)# access-list TEST line 2 permit ip host 172.16.1.1 any
WARNING: <TEST> found duplicate element
access-list TEST line 2 permit ip host 172.16.1.1 any

So you will have to delete the ACE and then add to the line you want:

ASA(config)# no access-list TEST line 4 extended permit ip host 172.16.1.1 any
ASA(config)# access-list TEST line 1 permit ip host 172.16.1.1 any


ASA# sh access-list
access-list TEST; 3 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip host 172.16.1.1 any (hitcnt=0) 0x2546ce33
access-list TEST line 2 remark TEST
access-list TEST line 3 extended deny ip any any (hitcnt=0) 0xa887db65

Hope the above helps.

 

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sadks
Cisco Employee
Cisco Employee

‎01-02-2024 01:32 AM

Hi,

You can't move an existing ACE to another line as you will get the following error:

ASA(config)# access-list TEST line 2 permit ip host 172.16.1.1 any
WARNING: <TEST> found duplicate element
access-list TEST line 2 permit ip host 172.16.1.1 any

So you will have to delete the ACE and then add to the line you want:

ASA(config)# no access-list TEST line 4 extended permit ip host 172.16.1.1 any
ASA(config)# access-list TEST line 1 permit ip host 172.16.1.1 any


ASA# sh access-list
access-list TEST; 3 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip host 172.16.1.1 any (hitcnt=0) 0x2546ce33
access-list TEST line 2 remark TEST
access-list TEST line 3 extended deny ip any any (hitcnt=0) 0xa887db65

Hope the above helps.

 

 

 

 

0 Helpful

Go to solution
oscardenizjensen
Level 1
Level 1
In response to sadks

‎01-02-2024 01:40 AM

Thanks. That was the error I was getting, and did it the way you suggested. I would just prefer if there was a way to move the lines without deleting.

0 Helpful

Go to solution
sadks
Cisco Employee
Cisco Employee

‎01-02-2024 01:48 AM

Hi,

I completely understand but unfortunately, the reason for this is that we don't want duplicate entries on the ACL which can cause an issue in the future. You can however insert a completely new entry in between or after deleting the same entry.

 

 

 

 

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card