Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA ACLs

I would like to add an extended ACL line (in order to use objects) to an existing named standard ACL. I think this should be possible ?

access-list <name1> standard permit <  >

access-list <name1> extended permit < > < >

access-list <name1> standard deny any

Would I also need to add an extended deny ip any any for it to process the extended lines at the end ? I assume the standard can but won't look at destination ?

Thanks in advance,

Pete

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ASA ACLs

Hi Xayavonqp

I am not very good at ACL but my work needs it Jennifer is right... you cannot have standard and extended together in a same ACL set.

If you want to add some entries to a current acl...what I would do usually is:

1.) Do a "show access-list (acl name or number). And copy them on a notepad or so.

2.) In the ACL List, you will see line numbers for each entry... This may be important if you want which acl entry prior to reach first...as you know the cisco device read and analyze each entry one by one by the orders. Remember, the implicit is always deny any any at the end of any acls.

3.) Create a entry with the line number (eg:access-list name line 50 extended permit tcp any host.....)

4.) The entry you add would not over written the same numbe of line (for example in this case is 50), instead those current entries would be put down one more (like adding a row in Excel in a table, in this case, the original entry line number with 50 now will turn to be 51, and the new one you add will be line 50).

Personally...to review access list on a fw, I like to use GUI...as it is easier to review and modify if you have over hundred and hundred lines there.

I hope you understand what I tried to say Good luck!

Takami chiro

5 REPLIES
Super Bronze

ASA ACLs

You can't have the same ACL with both standard and extended line in it.

Where do you assign the access-list?

To answer your question, you don't need to configure "deny any" or "deny ip any any" because at the end of the access-list, there is an implicit deny, so you don't need to explicitly configure "deny any" or "deny ip any any.

New Member

ASA ACLs

Can you point me to a document or reference? This ACL is a multicast boundary ACL.

The exisiting ACL is standard. So if this is true I would need to make that all extended since I can't mix standard and extended ACL. It would easier (with objects) to have 4 lines versus 30 lines in the ACL.

Super Bronze

ASA ACLs

what device are you configuring the acl on, and what is the version of the device?

New Member

ASA ACLs

Hi Xayavonqp

I am not very good at ACL but my work needs it Jennifer is right... you cannot have standard and extended together in a same ACL set.

If you want to add some entries to a current acl...what I would do usually is:

1.) Do a "show access-list (acl name or number). And copy them on a notepad or so.

2.) In the ACL List, you will see line numbers for each entry... This may be important if you want which acl entry prior to reach first...as you know the cisco device read and analyze each entry one by one by the orders. Remember, the implicit is always deny any any at the end of any acls.

3.) Create a entry with the line number (eg:access-list name line 50 extended permit tcp any host.....)

4.) The entry you add would not over written the same numbe of line (for example in this case is 50), instead those current entries would be put down one more (like adding a row in Excel in a table, in this case, the original entry line number with 50 now will turn to be 51, and the new one you add will be line 50).

Personally...to review access list on a fw, I like to use GUI...as it is easier to review and modify if you have over hundred and hundred lines there.

I hope you understand what I tried to say Good luck!

Takami chiro

New Member

ASA ACLs

Sorry for the late replies but I just went ahead and converted it all to extended ACLs.

484
Views
0
Helpful
5
Replies