Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2011
Views
0
Helpful
3
Replies

ASDM access-lists out of sync with CLI

tonymurphy30
Level 1
Level 1

‎11-10-2010 08:11 AM - edited ‎03-11-2019 12:07 PM

5510 running 7.2(2) amd 5.2(2)

Problem:-

When highlighting an access rule in ASDM, right clicking and selecting delete, I get the following messagewhen applying the change

"[ERROR] no access-list inside_access_in line 120 extended permit tcp host 10.113.86.10 0.0.0.0 0.0.0.0 eq irc
    Specified access-list does not exist at that line"

A look via the cli shows :-

-------------truncated output-----------------

access-list inside_access_in line 118 extended permit ip host 192.168.148.92 host 10.113.242.7 log debugging interval 300 (hitcnt=8264) 0x8e48c54e
access-list inside_access_in line 119 extended permit tcp 10.113.0.0 255.255.0.0 host 10.160.5.14 object-group HTTP_HTTPS log informational interval 300 0x114d77f3
access-list inside_access_in line 119 extended permit tcp 10.113.0.0 255.255.0.0 host 10.160.5.14 eq www log informational interval 300 (hitcnt=95) 0x41625367
access-list inside_access_in line 119 extended permit tcp 10.113.0.0 255.255.0.0 host 10.160.5.14 eq https log informational interval 300 (hitcnt=0) 0x5e37522f
access-list inside_access_in line 120 extended permit tcp host 10.113.86.10 any object-group HTTP_HTTPS log informational interval 300 0xf532a28
access-list inside_access_in line 120 extended permit tcp host 10.113.86.10 any eq www log informational interval 300 (hitcnt=3) 0x546271c3
access-list inside_access_in line 120 extended permit tcp host 10.113.86.10 any eq https log informational interval 300 (hitcnt=0) 0xf57e906c
access-list inside_access_in line 121 extended permit tcp host 10.113.86.10 any eq irc log disable inactive (hitcnt=0) (inactive) 0x5550f0f

-------------truncated output-----------------

The rule is clearly shown as LINE 121 not 120 as the ADSM thinks,

I have tried deleating inactive rules further up (no 78) the list but get the same error showing a mis-match by 1 list number.

However I do not wish to try many others in case the access lists become corrupt.

I've looked through the cli output of the access list and cannot see anything out of the ordinary,

Any ideas would be appreciated.

Tony

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-10-2010 08:27 AM

Try upgrading ASDM (does not require ASA reboot). There were some similar issues with hashes of lines and ASDM not matching those.

I hope it helps.

PK

0 Helpful

tonymurphy30
Level 1
Level 1
In response to Panos Kampanakis

‎11-10-2010 08:46 AM

I've located the error :-

access-list inside_access_in line 64 remark 'Allow access to HBOS'
access-list inside_access_in line 65 extended permit object-group TCPUDP host 10.113.92.16 any object-group HBOS-PORTS 0xe1daad9c
access-list inside_access_in line 65 extended permit udp host 10.113.92.16 any eq 990 (hitcnt=0) 0x8c6f3022
access-list inside_access_in line 65 extended permit udp host 10.113.92.16 any eq 8209 (hitcnt=0) 0x29b7df85
access-list inside_access_in line 65 extended permit udp host 10.113.92.16 any range 8220 8258 (hitcnt=0) 0xab0c55d1
access-list inside_access_in line 65 extended permit tcp host 10.113.92.16 any eq 990 (hitcnt=0) 0x97349965
access-list inside_access_in line 65 extended permit tcp host 10.113.92.16 any eq 8209 (hitcnt=0) 0x92c79a8a
access-list inside_access_in line 65 extended permit tcp host 10.113.92.16 any range 8220 8258 (hitcnt=0) 0x2353949c
access-list inside_access_in line 66 extended permit object-group TCPUDP host 10.113.92.19 any log debugging interval 300 0x27923701
access-list inside_access_in line 66 extended permit udp host 10.113.92.19 any log debugging interval 300 (hitcnt=73) 0xdb73d075
access-list inside_access_in line 66 extended permit tcp host 10.113.92.19 any log debugging interval 300 (hitcnt=1666) 0xf3e41dc

When this is viewed in ASDM is does not show the rule accocciated with line 65, only the entry accociated with line 66 is shown.

I assume this is because the line 66 covers all the line 65 entries.

Hopefully if I delete the line 65 entries it will all come back ino line.

Tony

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to tonymurphy30

‎11-10-2010 10:21 AM

Hello,

You are totally right, you need be aware that when you do changes, the line numbers are going to change, it is better do what you did going into the CLI and really check if the line that you are trying to delete is there or not. A refresh on the ASDM or close it and open it again should give you the correct information.

Hope it helps.

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card