Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Reconfigure ACE

hi all,

i got an ASA 5520 currently in production and need to reconfigure some entries on ACL.

currently, the ACL is using IPs but I wanted to use object/alias for other admins to easily recognize the ACE.

i already have the object network created for static NAT and want to use them for my ACE.

can i do as below without causing any downtime to the user/network?

object network MY_OBJ
 host 172.27.1.2

access-list OUTSIDE extended permit ip any object MY_OBJ

no access-list OUTSIDE extended permit ip any 172.27.1.2

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi John, I did a lab on this

Hi John,

 

I did a lab on this with icmp and i do not see a ping drop when i put object acl in priority and remove the existing acl then next....

Immediately after placing the new acl line, hits started to the new acl line and old acl line hits stopped at the same moment... so there shouldn't be any problem in doing that...

 

access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=7) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=86) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=18) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=97) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=19) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88

 

 

Regards

Karthik

New Member

The easy way would be to add

The easy way would be to add new ACE with Objects and login to firewall from asdm, reorder the newly added ACE above the old one where you have ip.  Than monitor the hit count on that particular ace which will ensure that traffic is hitting it.  

After you see hit count going up you can safely remove old entries... this way you should not have any down time whatsoever 

4 REPLIES

Hi John, 

Hi John,

There shouldn't be much problem..... but make sure that you prioritize the new rule with object using line numbers..... then you should be able to see hits on the new line rather than the existing line of old acl... might be the active connections will get a slight impact..... let me do a small lab and confirm you on this....

 

 

Regards

Karthik

Hi John, I did a lab on this

Hi John,

 

I did a lab on this with icmp and i do not see a ping drop when i put object acl in priority and remove the existing acl then next....

Immediately after placing the new acl line, hits started to the new acl line and old acl line hits stopped at the same moment... so there shouldn't be any problem in doing that...

 

access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=7) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=86) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=18) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=97) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=19) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88

 

 

Regards

Karthik

thanks for your inputs!

thanks for your inputs!

New Member

The easy way would be to add

The easy way would be to add new ACE with Objects and login to firewall from asdm, reorder the newly added ACE above the old one where you have ip.  Than monitor the hit count on that particular ace which will ensure that traffic is hitting it.  

After you see hit count going up you can safely remove old entries... this way you should not have any down time whatsoever 

39
Views
0
Helpful
4
Replies
CreatePlease login to create content