Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4689
Views
0
Helpful
4
Replies

ASA removing ACL lines

Steven Williams
Level 4
Level 4

‎09-25-2017 05:22 AM - edited ‎02-21-2020 06:21 AM

So I am in this dilema where the person before me configured our internet ASA using all ASDM, so its hard to figure out what is what in the CLI since all I see is DM_INLINE_blah.

 

for example:

 

access-list INSIDE_access_in line 15 extended permit object-group DM_INLINE_SERVICE_6 object-group DM_INLINE_NETWORK_9 any log informational interval 300 0x0aef5baa
access-list INSIDE_access_in line 15 extended permit tcp 10.0.0.0 255.0.0.0 any eq 1935 log informational interval 300 (hitcnt=2013) 0x8fb5bf4b
access-list INSIDE_access_in line 15 extended permit tcp ALL_172.16 255.255.0.0 any eq 1935 log informational interval 300 (hitcnt=0) 0x4f0c2f97
access-list INSIDE_access_in line 15 extended permit tcp ALL_172.26 255.255.0.0 any eq 1935 log informational interval 300 (hitcnt=0) 0x6e98f459
access-list INSIDE_access_in line 15 extended permit tcp 192.168.0.0 255.255.0.0 any eq 1935 log informational interval 300 (hitcnt=0) 0xb2262918

 

As you can see some lines do not have hit counts and I want to remove them. Can I do this line by line or is going to mess something up?

 

Can I do a "no  access-list INSIDE_access_in line 15 extended permit tcp 192.168.0.0 255.255.0.0 any eq 1935"and have it take out that one line only?

 

Oh to make it better this is Code 8.2  :)

Labels:
0 Helpful
4 Replies 4

Spooster IT Services
Level 7
Level 7

‎09-25-2017 06:30 AM

Hi Steven,

 

Run the following command to check which subnets are there in the object-group: 

show run object-group id DM_INLINE_NETWORK_9

 

Then remove those are not required as below:

 

object-group network DM_INLINE_NETWORK_9

 no network-object 192.168.0.0 255.255.0.0

 

"no" in front of network-object will remove subnet from the object, so in this way the ACL line will also be removed.

Spooster IT Services Team
0 Helpful

Steven Williams
Level 4
Level 4
In response to Spooster IT Services

‎09-25-2017 06:59 AM

The issue with removing the network object is that the acl has multiple ports tied to it. So while 192.168.0.0 255.255.0.0 may not be using port 80 its using port 1433 in the same ACE.
0 Helpful

Spooster IT Services
Level 7
Level 7
In response to Steven Williams

‎09-25-2017 07:02 AM

Hi Steven,

 

In this case you need to create multiple object-group for ports and define accordingly.

But there is no way to delete a single ACE without removing subnet from object group.

Spooster IT Services Team
0 Helpful

Steven Williams
Level 4
Level 4
In response to Spooster IT Services

‎09-25-2017 07:04 AM

I figured as much. This is why you don't use ASDM for all your firewall configuration.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card