Managing ACE line numbers manually

S891 · ‎01-19-2013

Hi,

Is it possible to manually control ACL ACE line numbers? I have FWSM 4.1(10). It appears that no matter whatever number you give for a new ACE, it is automatically added to the bottom in sequential number 5,6,7...(and not the number you give), unless it is replacing the existing ACE, which in that case pushes the original ACE to the next line number.

I want to keep an ACE at the last, with very high number (say 15000) and add new ACEs like 500, 501. Is it possible?

If it is not possible, what is the best way to make sure that a particular ACE is always at the bottom of an ACL?

Thanks much!

Jouni Forss · ‎01-19-2013

Hi,

To my understanding in Cisco firewalls line numbers are a continuous value for example from 1 - 7. There is no situation where there is line 1 and line 7 only. Only situation where you need to use line number is when you want to add something in between the existing rules and not at the bottom of them rules.

Depending on how your ACL / rules are built you might end up entering every ACE on a certain line since you might have some manually configured deny statement in the ACL.

On the Cisco routers however there is possibility to do what you are talking about in your post. In the router extended ACLs its possibility to use the sequence number to make one rule of very high value and one very low value without having something in between them

So to my knowledge this is not possible in the PIX / FWSM / ASA.

You simply need to check where you enter the new rule to keep the ACL in working order.

Heres a quote from the command reference (ASA 8.4) (same applies to FWSM)

line line-num

(Optional) Specifies the line number at which to insert the ACE. If you do

not specify a line number, the ACE is added to the end of the access list.

The line number is not saved in the configuration; it only specifies where

to insert the ACE.

- Jouni