Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8303
Views
5
Helpful
9
Replies

Cisco ASA ACL Rule-Reordering.

Go to solution
tpanwala
Level 1
Level 1

‎02-04-2020 08:35 AM - edited ‎02-21-2020 09:53 AM

Good Morning Team, I am supporting the client with Network Security and we have ongoing project with Cisco ACL rule re-ordering across the environment and I understand that in order to change the line number - we must have to remove the ACL and add the new one with updated line number, however I have a question regarding that - if we remove and add the same ACL with updated line number immediately - does the traffic impacted during the change? I am curious if connection table helps and traffic won't impact for fraction of second? Your input is highly appreciated. Thanks Again! Regards!
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-04-2020 08:04 PM

On active connections, they won't be impacted because they don't go through
ACL check (they use fastpath).

For new connections, they will fail for that small glitch. If you are
pasting both line immediately then I don't see an issue with this.

For precautions, get line 1 ACL configured for your access and don't touch
so that you never lose connectivity.

***** please remember to rate useful posts

View solution in original post

9 Replies 9

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-04-2020 08:04 PM

On active connections, they won't be impacted because they don't go through
ACL check (they use fastpath).

For new connections, they will fail for that small glitch. If you are
pasting both line immediately then I don't see an issue with this.

For precautions, get line 1 ACL configured for your access and don't touch
so that you never lose connectivity.

***** please remember to rate useful posts

Go to solution
tpanwala
Level 1
Level 1
In response to Mohammed al Baqari

‎02-05-2020 06:51 AM

Hi Mohammed, Thank you so much for fast and prompt response! I agree and assumed it should not impact but again thanks for the confirmation, though I would like to get more understanding on the precaution you have suggested. My understanding is that we can't add the same ACL with line 1 without deleting the existing one. Can you please help me out to elaborate this? Also, if cisco has any document which I can refer that would be awesome. Regards!
0 Helpful

Go to solution
ROHIT SHARMA
Level 1
Level 1
In response to tpanwala

‎02-05-2020 07:24 AM

you'll enter config like this (paste both at the same time):
no access-list ABC any any
access-list ABC line <no.> any any
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tpanwala

‎02-05-2020 02:06 PM - edited ‎02-05-2020 02:13 PM

Why are you thinking of removing an ACL entry and then adding a new one?  Is there a specific reason why you need to remove an entry first? Why not just add the updated entry and once that is confirmed to work, remove the old entry?  

Also, you do not need to remove an ACL entry you could just insert an entry to a specific line and the entries below will renumber themselves.

example:

access-list inside_access_in line 9 permit ip host 1.2.3.4 host 4.3.2.1

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
tpanwala
Level 1
Level 1
In response to Marius Gunnerud

‎02-06-2020 08:02 AM

As I mentioned that in our environment we are working on the rule re-ordering project in order to get the hits to teh actual ACL rather than the widely open access.

See the below example in which I actually wanted that ACL to move to the line 3, and let me know if there is a way to do it without removing.

Example:
access-list inside_acl line 9 permit tcp object-group Company_Network host 10.10.10.10

I would like to move this line to line 3, is there a way to do without deleting?
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tpanwala

‎02-09-2020 12:45 PM

You can do this in CLI or in ASDM without deleting the command.  Easiest would be in ASDM where you just select the rule you want to move up and there are up and down arrows at the top of the ASDM page, just click the up arrow until the rule is located at the line you want it to be at.

 

In the CLI you would need to add the rule to line 3 and then delete the duplicate rule, as follows.

access-list inside_acl line 3 permit tcp object-group Company_Network host 10.10.10.10 

no access-list inside_acl line 9 permit tcp object-group Company_Network host 10.10.10.10

 

 

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
tpanwala
Level 1
Level 1
In response to Marius Gunnerud

‎02-12-2020 06:34 AM

We're not allowing ASDM and so in CLI, I don't think we can add the same ACL with different line number before deleting the existing one as you mentioned. Please clarify if I am misunderstanding anything.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tpanwala

‎02-12-2020 06:43 AM

You are misunderstanding.  You can add any ACE even if they overlap without getting an error.  You can easily do this in CLI without having any downtime.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to tpanwala

‎02-12-2020 12:17 PM

You can add line 1 acl and it will automatically push all other acls down by 1. It won't delete or override other acls. 

 

**** please remember to rate useful posts 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card