ACL naming? Delete and start over or just rename?

Answered Question
May 2nd, 2007
User Badges:

I'm wanting to add a better description to some ACL's in my ASA firewall, instead of inside, outside, dmz, etc. Is there a way to add a description to an ACL or is that accomplished by "inside", etc?

Thanks, Tony

Correct Answer by acomiskey about 10 years 1 month ago

You can add remarks in your acl..is that what you want?


access-list outside remark Permit mail traffic

access-list outside extended permit tcp any mailserver eq 25

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 05/02/2007 - 07:41
User Badges:
  • Green, 3000 points or more

You can add remarks in your acl..is that what you want?


access-list outside remark Permit mail traffic

access-list outside extended permit tcp any mailserver eq 25

ttrevino1 Wed, 05/02/2007 - 07:46
User Badges:

That's exactly what I wanted, thanks!


Now another question, can someone explain the differences to me in ACL's that are "extended" or not? Also, is there a reason to name an ACL a number (80), or a name (outside)?

I'm trying to clean up a network that has a lot of old config on it that nobody has kept up with, and want to make sure I'm not deleting something that's in use. Is there a way to tell if an ACL is actually being used?

Thanks again, Tony

pkapoor Wed, 05/02/2007 - 08:52
User Badges:

Extended ACLs are easier to manipulate. When working on a router, if you have an extended ACL, then you can remove access-list entries (ACEs) from the middle of the list - something you cannot do with the standard ACLs. Further, you can remove ACEs from the middle and add ACEs in the middle. You can even resequence the whole ACL so that the line numbers are consistent.


The use of named extended ACLs is basically to have a better description on what the ACL is for.


To know if an ACL is being used, some of the things you can do are:


1. Execute the command "show running-config | inc access-group". This will show you if there are any access-group statements in your configuration. If there are, then it means your ACL has been applied somewhere. You will then need to check the configuration and see where it is applied.


2. Check the line vty configurations and see if you are using ACLs there to define which IPs can remote to your router.


3. Check your SNMP setting and see if you have an ACL restricting which IPs can SNMP to the router.


4. Check route-maps and see if you are using an ACL there (if you have route-maps, then you must be having an ACL associated there defining the criteria for that router-map).


5. And last but not the least, you can do a "show access-list " and see if any of the hitcounts alongside the ACEs is incrementing. This is not a decisive test but if an ACL is being actively used while you are checking, then you should be able to see the hitcount increment.


(My 2-bits).

acomiskey Wed, 05/02/2007 - 08:54
User Badges:
  • Green, 3000 points or more

If the acl was being used you would see some other reference to it in the config.

Examples...

access-group in interface outside

nat (inside) 0 access-list

Post the config if you want help.

Actions

This Discussion