ACL Questions.

Answered Question
Mar 24th, 2008


I am unfamiliar with using ASA and find myself running into allot of errors so I though I would ask the experts.

I have several older(ish) routers that have ACL's on them that I would like to transfer to out new 5510 ASA but I am finding it's not as simply as cut and paste. For example.

When I use "established" in a new ACL it has no idea what I am typing. Is this no longer used?

Also in use in my current ACL's a line would look like this

Access-list 103 permit udp any eq domain

But when I type that into my new 5510 I get an error that my IP address and Subnet mask doesn't pair. (I get the same error when I cut my old ACL into a text editor and then try to paste into my ASA 5510. What am I doing wrong?

If someone can either point in the right direction I would be very grateful. (with several ACL's needing to be moved over I am worried how much of it is no longer used or different.)


I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 7 months ago

No problem. glad to be of help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 03/24/2008 - 05:58

Hi Shawn

Firstly you do not need the "established" keyword because the ASA is a stateful firewall so it will keep track of the TCP flags for you.

Secondly IOS subnet masks are reverse masks so = on the ASA

You should be okay with the "domain" keyword but if not you need to know the actual port numbers - domain = 53 int this case.

Note if the reverse masks are not split on octet boundary ie.

easiest way to translate this to a normal mask is

31 + 1 = 32

256 - 32 = 224 so

works for other reverse masks as well eg.

63 + 1 = 64

256 - 64 = 192 so



shawnreis Mon, 03/24/2008 - 06:02

That does help allot. I will do some editing and let you know how it works.

Thank you.


shawnreis Mon, 03/24/2008 - 06:21

Everything work well with the import of the ACL's from my Text Editor with two exceptions.

I noticed that non500-isakmp and netbios-ss are no longer options? Are they not needed? (of course if they are no then that is fine I just don't want to be leaving anything out.)



Jon Marshall Mon, 03/24/2008 - 06:25


What do you mean by non500-isakmp ?

If you are trying to use the actual names then they might not be recognised by the ASA, sorry not at work today.

Do you know the actual port numbers for non500-isakmp and netbios-ssn (which should be a port between 135 & 139 but i can never remember exactly which)


shawnreis Mon, 03/24/2008 - 07:15


I did what you recommended and added them by port numbers non500-isakmp = 4500

and netbios-ss = 150

Everything worked fine.

Thanks for your help.


This Discussion