05-01-2014 09:16 AM - edited 03-11-2019 09:08 PM
Hello All:
I am in the process of cleaning up an ASA 5510 that I have inherited and have a question about applying a new ACL to an interface that is working correctly now with another ACL. The main purpose is I want to change the name of the ACL an clean it up a bit. Also would making this change cause an outage of more than a few minutes?
For example let's say I have the access group below:
access-group dmzif2 in interface dmz
With an ACL:
access-list dmzif2 extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list dmzif2 extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain
I want the new one to be:
access-group DMZIF_IN in interface dmz
with ACL:
access-list DMZIF_IN extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list DMZIF_IN extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain
Can I just add the new ACL's entries and issue this statement?
access-group DMZIF_IN in interface dmz
Any help is greatly appreciated!
Dustin
05-01-2014 09:48 AM
Create the new ACL, then remove the old acl group statement from the interface and apply the new one, save it and you are in business fast.
05-01-2014 09:56 AM
Thank you for the reply, so once the new ACL is created an added, would this be the correct commands? (sorry this is in production and I don't want to screw it up)
So add these lines:
access-list DMZIF_IN extended permit tcp host 10.73.95.200 host 10.73.77.41 eq smtp
access-list DMZIF_IN extended permit tcp object obj-10.73.95.0 host 10.73.77.42 eq domain
Then run:
no access-group dmzif2 in interface dmz
and then run:
access-group DMZIF_IN in interface dmz
and all should be good to go? Also after that how do I remove the old ACL's? with "no" in front of each line, or is there a command to clear all in bulk?
thanks again for the help!
05-01-2014 10:14 AM
FYi, rate the assistance
05-19-2014 11:39 AM
you can clear them with "clear configure access-list <acl_name>"
Please rate the assistance and mark the ticket as solved or answered.
05-01-2014 10:13 AM
Man, you are just changing the name, I don't see any improvement, but then again:
I did this on the lab, it will replace the access-group:
CHECK-THE-CHECKOUT(config)# access-list 100 permit icmp any any
CHECK-THE-CHECKOUT(config)# access-group 100 in interface outside
CHECK-THE-CHECKOUT(config)#
CHECK-THE-CHECKOUT(config)#
CHECK-THE-CHECKOUT(config)# access-list 199 permit icmp any any
CHECK-THE-CHECKOUT(config)# access-group 199 in interface outside
CHECK-THE-CHECKOUT(config)# show run access-g
access-group 199 in interface outside
05-01-2014 11:11 AM
I am also making add's/delete's as well as changing the names. There are a ton of ACL's that are no longer used, so I figured I would just start fresh. Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide