Solved: Re: temporarily disable rules?

slug420 · ‎10-14-2009

What's the best way you have found to temporarily disable certain rules in an ASA config (8.2.1). AFAIK there is no way to comment out a line in an ACL....So if we have a SQL connection that we need to open up from time to time (but are not comfortable leaving open permanently) whats the best way to do this?

jeromecandiff · ‎10-14-2009

In 8.x you have the ability to disable certain aces.

View solution in original post

Jon Marshall · ‎10-14-2009

Chris

2 ways that i have used

1) have a copy of the acl with a different name in the config and without the SQL line and then simply apply whichever acl you want to use at the time to the relevant interface

2) You can specify line numbers in acls so you can do

no access-list line SQL rule

and then when you want to allow it simply add it back in

access-list line SQL rule

Jon

slug420 · ‎10-14-2009

Actually you just gave me another idea....

Maybe I will put it in the ACL as line 10 or something and then put the same rule with a deny action as line 9. When I want to use it I remove the deny, and when I am done I re-add the deny (which is simple since im just copying the existing line and changing permit to deny)

Jon Marshall · ‎10-14-2009

Chris

Yes that would work as well, just make sure you get the line numbers correct or you could allow when you mean to deny and vice-versa.

Jon

jeromecandiff · ‎10-14-2009

In 8.x you have the ability to disable certain aces.

slug420 · ‎10-14-2009

how?

slug420 · ‎10-14-2009

found it:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1540321

inactive

(Optional) Disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make reenabling easier.

cool