Solved: Can you disable a single line within ACL?

parsonsproject1 · ‎12-19-2013

We have 881g on 15.1 code with a ZBFW.

Within an ACL, ip access-list extended blah, with multiple lines, 10,20,30,etc... is there a way to disable a single line or make it inactive while still leaving it in config? Don't see it in there, not sure if it's not possible or I'm not looking at the right things.

Thanks!

Collin Clark · ‎12-20-2013

There is no 'inactive' like on the ASA. A work around would be to do something like

remark permit tcp any any eq smtp established log

It keeps it in the config, but it doesn't do anything since it's a remark.

View solution in original post

Collin Clark · ‎12-19-2013

View the ACL (show access-list)

FIREWALL#sh access-list inbound

Extended IP access list inbound

10 deny ip 0.0.0.0 0.255.255.255 any log

20 deny ip host 255.255.255.255 any log

30 permit tcp any any eq smtp established log

40 deny ip 127.0.0.0 0.255.255.255 any log

Then go into the ACL and remove the line you want.

FIREWALL#conf t

Enter configuration commands, one per line. End with CNTL/Z.

FIREWALL(config)#ip access-list ext inbound

FIREWALL(config-ext-nacl)#no 30 permit tcp any any eq smtp established log

FIREWALL(config-ext-nacl)#end