cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14158
Views
15
Helpful
5
Replies

ASA 7.1 Access-list resequence

markeelen
Level 1
Level 1

Hi all,

     I am having difficulty finding the commands to enable me to resequence an access-list on an ASA 5550. My access list now looks like this:

access-list Outside_access_in line 1 extended permit udp *********
access-list Outside_access_in line 1 extended permit udp *********
access-list Outside_access_in line 1 extended permit udp *********
access-list Outside_access_in line 2 extended permit tcp *********
access-list Outside_access_in line 2 extended permit tcp *********
access-list Outside_access_in line 2 extended permit tcp *********
access-list Outside_access_in line 3 extended permit ip *********
access-list Outside_access_in line 3 extended permit ip *********
access-list Outside_access_in line 3 extended permit ip *********
access-list Outside_access_in line 4 extended permit ip *********
access-list Outside_access_in line 5 extended permit udp *********
access-list Outside_access_in line 6 extended permit udp *********
access-list Outside_access_in line 7 extended permit udp *********
access-list Outside_access_in line 8 extended permit ip *********
access-list Outside_access_in line 9 extended permit ip *********
access-list Outside_access_in line 10 extended permit udp *********
access-list Outside_access_in line 11 extended permit icmp *********
access-list Outside_access_in line 12 extended deny ip any any (hitcnt=319552) 0xd80e9958

Can anyone help me with this?

Many Thanks

Mark

1 Accepted Solution

Accepted Solutions

Unfortunately there is no resequence feature on ASA.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

What do you mean by resequence the ACL?

Here is what you can actually do: for example if you would like to move line 10 to line 2, you would do the following:

no access-list Outside_access_in line 10 extended permit udp *********

access-list Outside_access_in line 2 extended permit udp *********

Basically, it will remove line 10, and slot line 10 that you just remove to line 2. Unfortunately you have to remove that line of ACL and configure it back on the line number that you wish. There is no moving from line# blah to line# blah feature unfortunately.

Hope that helps.

Hi Halijenn,

     On the Router platform you can issue the command ip access-list resequence access-list Outside_access_in and the access-list is resequenced line 10, 20, 30 etc, without manually moving all of the statements. I was hoping there would be a similar command on the ASA platform to save any "finger trouble"

Many Thanks

Cheers

Mark

Unfortunately there is no resequence feature on ASA.

Hi Halijenn,

     Many Thanks, I will manually do this. Thanks for your assistance.

Kind Regards

Mark

stevensonchris
Level 1
Level 1

Just type the command you want, it will overwrite it, and shunt the rest down the sequence.

so ACL reads:
access-list OUT line 1 extended permit tcp any any
access-list OUT line 2 extended permit icmp any any
access-list OUT line 3 extended permit udp any any

write the line:

conf t

access-list OUT line 1 extended deny ip any any

Will insert, and put rest down.

access-list OUT line 1 extended deny ip any any (hitcnt=0) 0x05e95084
access-list OUT line 2 extended permit tcp any any (hitcnt=435134) 0xa4336395
access-list OUT line 3 extended permit icmp any any (hitcnt=985912) 0x754589b8
access-list OUT line 4 extended permit udp any any (hitcnt=196421) 0x4e49d000

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: