Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL naming? Delete and start over or just rename?

I'm wanting to add a better description to some ACL's in my ASA firewall, instead of inside, outside, dmz, etc. Is there a way to add a description to an ACL or is that accomplished by "inside", etc?

Thanks, Tony

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ACL naming? Delete and start over or just rename?

You can add remarks in your acl..is that what you want?

access-list outside remark Permit mail traffic

access-list outside extended permit tcp any mailserver eq 25

4 REPLIES
Green

Re: ACL naming? Delete and start over or just rename?

You can add remarks in your acl..is that what you want?

access-list outside remark Permit mail traffic

access-list outside extended permit tcp any mailserver eq 25

New Member

Re: ACL naming? Delete and start over or just rename?

That's exactly what I wanted, thanks!

Now another question, can someone explain the differences to me in ACL's that are "extended" or not? Also, is there a reason to name an ACL a number (80), or a name (outside)?

I'm trying to clean up a network that has a lot of old config on it that nobody has kept up with, and want to make sure I'm not deleting something that's in use. Is there a way to tell if an ACL is actually being used?

Thanks again, Tony

New Member

Re: ACL naming? Delete and start over or just rename?

Extended ACLs are easier to manipulate. When working on a router, if you have an extended ACL, then you can remove access-list entries (ACEs) from the middle of the list - something you cannot do with the standard ACLs. Further, you can remove ACEs from the middle and add ACEs in the middle. You can even resequence the whole ACL so that the line numbers are consistent.

The use of named extended ACLs is basically to have a better description on what the ACL is for.

To know if an ACL is being used, some of the things you can do are:

1. Execute the command "show running-config | inc access-group". This will show you if there are any access-group statements in your configuration. If there are, then it means your ACL has been applied somewhere. You will then need to check the configuration and see where it is applied.

2. Check the line vty configurations and see if you are using ACLs there to define which IPs can remote to your router.

3. Check your SNMP setting and see if you have an ACL restricting which IPs can SNMP to the router.

4. Check route-maps and see if you are using an ACL there (if you have route-maps, then you must be having an ACL associated there defining the criteria for that router-map).

5. And last but not the least, you can do a "show access-list " and see if any of the hitcounts alongside the ACEs is incrementing. This is not a decisive test but if an ACL is being actively used while you are checking, then you should be able to see the hitcount increment.

(My 2-bits).

Green

Re: ACL naming? Delete and start over or just rename?

If the acl was being used you would see some other reference to it in the config.

Examples...

access-group in interface outside

nat (inside) 0 access-list

Post the config if you want help.

1990
Views
0
Helpful
4
Replies
CreatePlease login to create content