Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
0
Helpful
2
Replies

Firewall queries

Go to solution
mani1910
Level 1
Level 1

‎06-15-2021 08:53 AM

Hi All,

QN1.

I have a network object 10.0.0.0/8 and it is added to "my-internal-ip network" object group.

in ASDM i can check where this policy is used and policy number.

similary , is there any way to check in CLI for the above asked details.

 

QN2 .

i have 10 policies configured in ASDM [1 to 10]

How can i insert any policy between policy 4 and 5 using cli.

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-15-2021 09:01 AM

@mani1910 

Try this:- "show access-list | include XXXXX" which will show you which access-list ACE entry this object is used in.

 

You need to use "line" when adding an ACE.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html

 

The command for adding an ACE is access-list name [line line-num] type parameters. The line number argument works for extended ACLs only. If you include the line number, the ACE is inserted at that location in the ACL, and the ACE that was at that location is moved down, along with the remainder of the ACEs (that is, inserting an ACE at a line number does not replace the old ACE at that line). If you do not include a line number, the ACE is added to the end of the ACL. The parameters available differ based on the ACL type; see the specific topics on each ACL type for details.

View solution in original post

0 Helpful

Go to solution
marioiram
Level 1
Level 1

‎06-15-2021 09:30 AM

@mani1910 

 

You can try "sh run | i my-internal-ip network" to find out where the object is being used, that would show you the ACLs then with that just find the order and as indicated by @Rob Ingram just add an ACE.

 

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎06-15-2021 09:01 AM

@mani1910 

Try this:- "show access-list | include XXXXX" which will show you which access-list ACE entry this object is used in.

 

You need to use "line" when adding an ACE.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html

 

The command for adding an ACE is access-list name [line line-num] type parameters. The line number argument works for extended ACLs only. If you include the line number, the ACE is inserted at that location in the ACL, and the ACE that was at that location is moved down, along with the remainder of the ACEs (that is, inserting an ACE at a line number does not replace the old ACE at that line). If you do not include a line number, the ACE is added to the end of the ACL. The parameters available differ based on the ACL type; see the specific topics on each ACL type for details.

0 Helpful

Go to solution
marioiram
Level 1
Level 1

‎06-15-2021 09:30 AM

@mani1910 

 

You can try "sh run | i my-internal-ip network" to find out where the object is being used, that would show you the ACLs then with that just find the order and as indicated by @Rob Ingram just add an ACE.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card