Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best way to apply a new ACL to an interface that has a ACL already applied

Hello All:

I am in the process of cleaning up an ASA 5510 that I have inherited and have a question about applying a new ACL to an interface that is working correctly now with another ACL. The main purpose is I want to change the name of the ACL an clean it up a bit. Also would making this change cause an outage of more than a few minutes?

For example let's say I have the access group below:

access-group dmzif2 in interface dmz

With an ACL:

access-list dmzif2 extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list dmzif2 extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain

I want the new one to be:

access-group DMZIF_IN in interface dmz

with ACL:

access-list DMZIF_IN extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list DMZIF_IN extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain

Can I just add the new ACL's entries and issue this statement?

access-group DMZIF_IN in interface dmz

 

Any help is greatly appreciated!

Dustin

 

 

6 REPLIES
New Member

Create the new ACL, then

Create the new ACL, then remove the old acl group statement from the interface and apply the new one, save it and you are in business fast.

New Member

Thank you for the reply, so

Thank you for the reply, so once the new ACL is created an added, would this be the correct commands? (sorry this is in production and I don't want to screw it up)

So add these lines:

access-list DMZIF_IN extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list DMZIF_IN extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain

Then run:

no access-group dmzif2 in interface dmz

and then run:

 

access-group DMZIF_IN in interface dmz

and all should be good to go? Also after that how do I remove the old ACL's? with "no" in front of each line, or is there a command to clear all in bulk?

 

thanks again for the help!

Silver

FYi, rate the assistance

FYi, rate the assistance

Value our effort and rate the assistance!
Silver

you can clear them with

you can clear them with "clear configure access-list <acl_name>"

 

Please rate the assistance and mark the ticket as solved or answered.

Value our effort and rate the assistance!
Silver

Man, you are just changing

Man, you are just changing the name, I don't see any improvement, but then again:

I did this on the lab, it will replace the access-group:

CHECK-THE-CHECKOUT(config)# access-list 100 permit icmp any any
CHECK-THE-CHECKOUT(config)# access-group 100 in interface outside
CHECK-THE-CHECKOUT(config)#
CHECK-THE-CHECKOUT(config)#
CHECK-THE-CHECKOUT(config)# access-list 199 permit icmp any any
CHECK-THE-CHECKOUT(config)# access-group 199 in interface outside
CHECK-THE-CHECKOUT(config)# show run access-g
access-group 199 in interface outside

 

Value our effort and rate the assistance!
New Member

I am also making add's/delete

I am also making add's/delete's as well as changing the names. There are a ton of ACL's that are no longer used, so I figured I would just start fresh. Thanks for the help!

 

 

129
Views
5
Helpful
6
Replies
CreatePlease to create content