Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12385
Views
15
Helpful
6
Replies

How to add new access-list line on Cisco ASA 9.1

Go to solution
santoshkotkar
Level 1
Level 1

‎01-07-2019 08:31 PM - edited ‎02-21-2020 08:38 AM

Hello Cisco Community

 

We have Cisco ASA ver 9.1 and very big extended access-list for different level of access.

 

access-list FROM_VLAN18 line 1 remark ------ PLC SHREDDER TO ACCESS VLAN 17 ------
access-list FROM_VLAN18 line 2 extended permit tcp object-group SHREDDER_PLC host 10.0.17.63 (hitcnt=0) 0x8c721786
  access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.50 host 10.0.17.63 (hitcnt=500) 0x8bf3ecdf
  access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.51 host 10.0.17.63 (hitcnt=150) 0x3ee92951
  access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.52 host 10.0.17.63 (hitcnt=50) 0x8250cb8f
  access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.53 host 10.0.17.63 (hitcnt=700) 0x9f4f3a59
  access-list FROM_VLAN18 line 2 extended permit tcp host 10.0.18.54 host 10.0.17.63 (hitcnt=300) 0x4fbc2c93
access-list FROM_VLAN18 line 3 remark ---------- END ----------
access-list FROM_VLAN18 line 4 remark ------ Shredder PLC to LVNCitect1 PMO 5253 ------
access-list FROM_VLAN18 line 5 extended permit ip object shredder_plc object lvn-citect1 (hitcnt=0) 0x9c09638b
  access-list FROM_VLAN18 line 5 extended permit ip host 10.0.18.52 host 10.0.17.6 (hitcnt=0) 0x9c09638b
access-list FROM_VLAN18 line 6 remark ---------- END ---------
access-list FROM_VLAN18 line 7 remark ------ 10.0.18.52 TO 10.0.17.105 Marval 577574 ------
access-list FROM_VLAN18 line 8 extended permit tcp object shredder_plc host 10.0.17.105 (hitcnt=0) 0xce7fed6b
  access-list FROM_VLAN18 line 8 extended permit tcp host 10.0.18.52 host 10.0.17.105 (hitcnt=0) 0xce7fed6b
access-list FROM_VLAN18 line 9 remark ---------- END ----------
access-list FROM_VLAN18 line 10 remark --------- Meltshop Citect Server corporate interface access Shredder PLC -  Marval 927566 --------
access-list FROM_VLAN18 line 11 extended permit tcp object shredder_plc object corp_citect_1 (hitcnt=0) 0xac86937a
  access-list FROM_VLAN18 line 11 extended permit tcp host 10.0.18.52 host 10.0.15.18 (hitcnt=0) 0xac86937a
access-list FROM_VLAN18 line 12 remark ---------- END ---------

 

These line numbers are continues, no gap. I need to add one access line in between, anyone know how to do that ?

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to santoshkotkar

‎01-07-2019 09:27 PM

100% correct.

**** Please remember to rate useful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-07-2019 08:49 PM

Just add the line number you want and it will push all other lines down.

for example:

access-list acl-test line 19 permit ip host 1.1.1.1 any
access-list acl-test line 20 permit ip host 2.2.2.2 any

then you can add line 20 which will make old-20 as 21

access-list acl-test line 19 permit ip host 1.1.1.1 any
access-list acl-test line 20 permit ip host 3.3.3.3 any
access-list acl-test line 21 permit ip host 2.2.2.2 any

Go to solution
santoshkotkar
Level 1
Level 1
In response to Mohammed al Baqari

‎01-07-2019 09:08 PM

Hi Mohammed

 

Thanks for your reply on query, so just to double check as this is production ASA :)

So the new ACE which we are adding will not overwrite on current line, it will push all other lines to next numbers.

Is that correct ?

 

thanks

Santosh

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to santoshkotkar

‎01-07-2019 09:27 PM

100% correct.

**** Please remember to rate useful posts
0 Helpful

Go to solution
Kasun Bandara
VIP
VIP

‎01-07-2019 08:53 PM

Hi Santhosh,

 

option 1 - 

you can use normal ACL command with line number. it will add the ACE to mentioned place.

for ex . 

ciscoasa(config)# access-list acl_name line 3 deny ip 192.168.1.0 any 

 

this will add a new line to place 3.

option 2 - 

you can easily add the ACE with ASDM and move that to relevant place with arrow buttons.

 

*** Pls rate all useful responses ***
Good Luck

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Go to solution
santoshkotkar
Level 1
Level 1
In response to Kasun Bandara

‎01-07-2019 09:32 PM

 

Thanks for your reply Kasun.

I will go with option 1 as ASDM is not working on that ASA, that's another issues.

0 Helpful

Go to solution
Kasun Bandara
VIP
VIP
In response to santoshkotkar

‎01-07-2019 09:44 PM

Hi,
if you have issues with ASDM setup, use below guide for reference.
http://www.microsolutions.com.lk/configure-cisco-asdm-at-initial-install-cisco-asa-firewall/
*** Pls rate all useful responses ***
Good Luck
Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card