Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1330
Views
0
Helpful
7
Replies

Questions about ACLs in ASA

Go to solution
nevereturn
Level 1
Level 1

‎03-19-2012 02:38 AM - edited ‎03-11-2019 03:43 PM

I have 2 two questions:

The first question:
I have make an ACL entry inactive for test. For example I setup an ACL:

access-list out-in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

access-list out-in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq www

Then, I disable the ACL entry about the telnet one:

access-list out-in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet inactive

Now, how can I re-activate the entry about the telnet one without removing and re-write the ACL?

The second question:

Can I edit the specific ACL entry like router? In this case, how can I edit the entry about telnet. such as change the source IP and destination IP?

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
malikyounas
Level 1
Level 1

‎03-19-2012 03:09 AM

1. you just need to enter the same command without 'inactive' at the end of it, do 'sh access-list' and get an idea of line number

access-list out-in line XX extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

2. Enter the command 'sh access-list', it will show all the active ACLs and the line number along with it, you will have to remove that line entry and re-add it, so say for example if you want to remove line from the following

ASA1# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list inside_in; 2 elements; name hash: 0xd3a8690b

access-list inside_in line 1 extended permit ip any any (hitcnt=0) 0xb80bc887

access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet (hitcnt=0) 0x7bf0c01d

you can

config t

no access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

access-list inside_in line 2 extended permit tcp host host eq telnet

View solution in original post

0 Helpful
7 Replies 7

Go to solution
malikyounas
Level 1
Level 1

‎03-19-2012 03:09 AM

1. you just need to enter the same command without 'inactive' at the end of it, do 'sh access-list' and get an idea of line number

access-list out-in line XX extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

2. Enter the command 'sh access-list', it will show all the active ACLs and the line number along with it, you will have to remove that line entry and re-add it, so say for example if you want to remove line from the following

ASA1# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list inside_in; 2 elements; name hash: 0xd3a8690b

access-list inside_in line 1 extended permit ip any any (hitcnt=0) 0xb80bc887

access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet (hitcnt=0) 0x7bf0c01d

you can

config t

no access-list inside_in line 2 extended permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

access-list inside_in line 2 extended permit tcp host host eq telnet

0 Helpful

Go to solution
nevereturn
Level 1
Level 1
In response to malikyounas

‎03-19-2012 03:37 AM

I've tested it.

The information you provided is very helpful.

Thanks very much!

0 Helpful

Go to solution
nevereturn
Level 1
Level 1
In response to malikyounas

‎03-19-2012 04:07 AM

Hello Malikyounas,

Sorry for another question:

I found 2 parameters after access-list name: Extended and Standard.
I noticed that if I didn't define this parameter and just write the source IP, Dest IP, Protocl and so on, when I use "show access-list", it shows as an extended ACL.

So, if I don't define Extended or Standard, it will be an extended ACL by default? Or, it is related to different software version of ASA?

Thanks in advance.

0 Helpful

Go to solution
malikyounas
Level 1
Level 1
In response to nevereturn

‎03-19-2012 04:18 AM

Hi,

Its better defined in this cisco doc where it says you cant use standard ACL as it only identifies the destination IP address which you can suppose is not enough for FW

Information About Standard Access Lists

Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_standard.html#wp1074591

0 Helpful

Go to solution
nevereturn
Level 1
Level 1
In response to malikyounas

‎03-19-2012 04:50 AM

Hello malikyounas,

Thanks for the reply. Your information about standard ACLs is very helpful.

What I want to know is if I don't define Extended or Standard, it will be an extended ACL by default?

Thanks in advance.

0 Helpful

Go to solution
malikyounas
Level 1
Level 1
In response to nevereturn

‎03-19-2012 05:14 AM

it will depend on what sort of entry you are going to add, if you add just the detiantion IP, ASA will consider as Standard and if you define source and destirnation, ASA will automatically consider this as extended.

access-list cisco permit ip host 20.20.20.1 - ASA will default to standard ACL for this

access-list cisco permit ip any host 20.20.20.1 - ASA will default to Extended ACL for this

if you use use show access-list after adding both ACLs above, you will see first one as standard and second as extended.

0 Helpful

Go to solution
nevereturn
Level 1
Level 1
In response to malikyounas

‎03-19-2012 05:49 AM

Hello Malikyouns,

Thanks for your feedback.

It is very helpful.

Many thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card