cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
237
Views
5
Helpful
9
Replies
Beginner

Cisco ASA ACL Rule-Reordering.

Good Morning Team, I am supporting the client with Network Security and we have ongoing project with Cisco ACL rule re-ordering across the environment and I understand that in order to change the line number - we must have to remove the ACL and add the new one with updated line number, however I have a question regarding that - if we remove and add the same ACL with updated line number immediately - does the traffic impacted during the change? I am curious if connection table helps and traffic won't impact for fraction of second? Your input is highly appreciated. Thanks Again! Regards!
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: Cisco ASA ACL Rule-Reordering.

On active connections, they won't be impacted because they don't go through
ACL check (they use fastpath).

For new connections, they will fail for that small glitch. If you are
pasting both line immediately then I don't see an issue with this.

For precautions, get line 1 ACL configured for your access and don't touch
so that you never lose connectivity.

***** please remember to rate useful posts

View solution in original post

9 REPLIES 9
Highlighted
VIP Advisor

Re: Cisco ASA ACL Rule-Reordering.

On active connections, they won't be impacted because they don't go through
ACL check (they use fastpath).

For new connections, they will fail for that small glitch. If you are
pasting both line immediately then I don't see an issue with this.

For precautions, get line 1 ACL configured for your access and don't touch
so that you never lose connectivity.

***** please remember to rate useful posts

View solution in original post

Highlighted
Beginner

Re: Cisco ASA ACL Rule-Reordering.

Hi Mohammed, Thank you so much for fast and prompt response! I agree and assumed it should not impact but again thanks for the confirmation, though I would like to get more understanding on the precaution you have suggested. My understanding is that we can't add the same ACL with line 1 without deleting the existing one. Can you please help me out to elaborate this? Also, if cisco has any document which I can refer that would be awesome. Regards!
Highlighted
Beginner

Re: Cisco ASA ACL Rule-Reordering.

you'll enter config like this (paste both at the same time):
no access-list ABC any any
access-list ABC line <no.> any any
Highlighted
VIP Advocate

Re: Cisco ASA ACL Rule-Reordering.

Why are you thinking of removing an ACL entry and then adding a new one?  Is there a specific reason why you need to remove an entry first? Why not just add the updated entry and once that is confirmed to work, remove the old entry?  

Also, you do not need to remove an ACL entry you could just insert an entry to a specific line and the entries below will renumber themselves.

example:

access-list inside_access_in line 9 permit ip host 1.2.3.4 host 4.3.2.1

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

Re: Cisco ASA ACL Rule-Reordering.

As I mentioned that in our environment we are working on the rule re-ordering project in order to get the hits to teh actual ACL rather than the widely open access.

See the below example in which I actually wanted that ACL to move to the line 3, and let me know if there is a way to do it without removing.

Example:
access-list inside_acl line 9 permit tcp object-group Company_Network host 10.10.10.10

I would like to move this line to line 3, is there a way to do without deleting?
Highlighted
VIP Advocate

Re: Cisco ASA ACL Rule-Reordering.

You can do this in CLI or in ASDM without deleting the command.  Easiest would be in ASDM where you just select the rule you want to move up and there are up and down arrows at the top of the ASDM page, just click the up arrow until the rule is located at the line you want it to be at.

 

In the CLI you would need to add the rule to line 3 and then delete the duplicate rule, as follows.

access-list inside_acl line 3 permit tcp object-group Company_Network host 10.10.10.10 

no access-list inside_acl line 9 permit tcp object-group Company_Network host 10.10.10.10

 

 

 

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

Re: Cisco ASA ACL Rule-Reordering.

We're not allowing ASDM and so in CLI, I don't think we can add the same ACL with different line number before deleting the existing one as you mentioned. Please clarify if I am misunderstanding anything.
Highlighted
VIP Advocate

Re: Cisco ASA ACL Rule-Reordering.

You are misunderstanding.  You can add any ACE even if they overlap without getting an error.  You can easily do this in CLI without having any downtime.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
VIP Advisor

Re: Cisco ASA ACL Rule-Reordering.

You can add line 1 acl and it will automatically push all other acls down by 1. It won't delete or override other acls. 

 

**** please remember to rate useful posts 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here