temporarily disable rules?

Answered Question
Oct 14th, 2009
User Badges:

What's the best way you have found to temporarily disable certain rules in an ASA config (8.2.1). AFAIK there is no way to comment out a line in an ACL....So if we have a SQL connection that we need to open up from time to time (but are not comfortable leaving open permanently) whats the best way to do this?



Correct Answer by jeromecandiff about 7 years 6 months ago

In 8.x you have the ability to disable certain aces.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Jon Marshall Wed, 10/14/2009 - 07:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


2 ways that i have used


1) have a copy of the acl with a different name in the config and without the SQL line and then simply apply whichever acl you want to use at the time to the relevant interface


2) You can specify line numbers in acls so you can do


no access-list line SQL rule


and then when you want to allow it simply add it back in


access-list line SQL rule


Jon

slug420 Wed, 10/14/2009 - 07:33
User Badges:

Actually you just gave me another idea....


Maybe I will put it in the ACL as line 10 or something and then put the same rule with a deny action as line 9. When I want to use it I remove the deny, and when I am done I re-add the deny (which is simple since im just copying the existing line and changing permit to deny)

Jon Marshall Wed, 10/14/2009 - 07:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


Yes that would work as well, just make sure you get the line numbers correct or you could allow when you mean to deny and vice-versa.


Jon

Correct Answer
jeromecandiff Wed, 10/14/2009 - 09:14
User Badges:

In 8.x you have the ability to disable certain aces.

Actions

This Discussion