ASA 5500 Access List removal

Answered Question
Dec 21st, 2009
User Badges:

I do apologise for reposting; however I am still having a few issues.


After removing a capture from the firewall, I am now trying to remove the access-list associated.


However, the below output shows that the access-list is still infact present on the firewall


host# sh access-list SL-CAP
access-list SL-CAP; 0 elements
host# conf t
host(config)# clear configure access-list SL-CAP
host(config)# wr
Building configuration...


[OK]
host(config)# end
host# sh run | inc SL-CAP


#no output#


host# sh access-list SL-CAP
access-list SL-CAP; 0 elements


Although it is not really a big problem; it would be nice to resolve and see what is causing this strange behaviour.


Regards

Correct Answer by Kureli Sankar about 7 years 4 months ago

If the following doesn't work


conf t

clear config access-list SL-CAP


Then add a few lines of dummy acl to the access-list like


access-l SL-CAP permit icmp any any

access-l SL-CAP deny ip any any


Make sure sh access-l SL-CAP | i elements


shows 2 and then try the same thing again.


clear config access-l SL-CAP



-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Dale Sanderson Mon, 12/21/2009 - 08:31
User Badges:

I believe that using "no" will only remove particular ACL entries as opposed to the ACL itself; forgive me if I am wrong on that..

No, infact you are right, thanks for making me rush to the config guide ,  but at times there are few commands that need system restart to flush out from the NVRAM. Not sure about this particular command. I haven't used the clear configure command, rather i usually copy the config to a notepad and add a no statement to the ACL (to all if i need to delete the complete ACL).

Dale Sanderson Mon, 12/21/2009 - 09:11
User Badges:

Ok, thankyou for the advice!


I will leave this thread open for a little to see if further networking guru's can advise & at a last resort I will use your method.


Thanks again!

Correct Answer
Kureli Sankar Mon, 12/21/2009 - 09:13
User Badges:
  • Cisco Employee,

If the following doesn't work


conf t

clear config access-list SL-CAP


Then add a few lines of dummy acl to the access-list like


access-l SL-CAP permit icmp any any

access-l SL-CAP deny ip any any


Make sure sh access-l SL-CAP | i elements


shows 2 and then try the same thing again.


clear config access-l SL-CAP



-KS

Dale Sanderson Mon, 12/21/2009 - 09:21
User Badges:

You my friend, are a star!


That worked perfectly - I take it that an 'empty' access list cannot be removed and will bare this in mind for future and ensure the list is populated.


Thanks again!

Actions

This Discussion

Related Content