cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
340
Views
0
Helpful
4
Replies

Reconfigure ACE

johnlloyd_13
Level 9
Level 9

hi all,

i got an ASA 5520 currently in production and need to reconfigure some entries on ACL.

currently, the ACL is using IPs but I wanted to use object/alias for other admins to easily recognize the ACE.

i already have the object network created for static NAT and want to use them for my ACE.

can i do as below without causing any downtime to the user/network?

object network MY_OBJ
 host 172.27.1.2

access-list OUTSIDE extended permit ip any object MY_OBJ

no access-list OUTSIDE extended permit ip any 172.27.1.2

2 Accepted Solutions

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi John,

 

I did a lab on this with icmp and i do not see a ping drop when i put object acl in priority and remove the existing acl then next....

Immediately after placing the new acl line, hits started to the new acl line and old acl line hits stopped at the same moment... so there shouldn't be any problem in doing that...

 

access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=7) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=86) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=18) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=97) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=19) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88

 

 

Regards

Karthik

View solution in original post

Saqib Raza
Level 1
Level 1

The easy way would be to add new ACE with Objects and login to firewall from asdm, reorder the newly added ACE above the old one where you have ip.  Than monitor the hit count on that particular ace which will ensure that traffic is hitting it.  

After you see hit count going up you can safely remove old entries... this way you should not have any down time whatsoever 

View solution in original post

4 Replies 4

nkarthikeyan
Level 7
Level 7

Hi John,

There shouldn't be much problem..... but make sure that you prioritize the new rule with object using line numbers..... then you should be able to see hits on the new line rather than the existing line of old acl... might be the active connections will get a slight impact..... let me do a small lab and confirm you on this....

 

 

Regards

Karthik

nkarthikeyan
Level 7
Level 7

Hi John,

 

I did a lab on this with icmp and i do not see a ping drop when i put object acl in priority and remove the existing acl then next....

Immediately after placing the new acl line, hits started to the new acl line and old acl line hits stopped at the same moment... so there shouldn't be any problem in doing that...

 

access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=7) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=86) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=18) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit icmp any any echo-reply (hitcnt=97) 0x55127d11
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outbound; 2 elements; name hash: 0x873017e8
access-list outbound line 1 extended permit ip object test_local object test_remote (hitcnt=0) 0x24731aff
  access-list outbound line 1 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=19) 0x24731aff
access-list outbound line 2 extended permit ip host 10.0.0.10 host 172.16.0.10 (hitcnt=94) 0x4e29395e
access-list inbound; 1 elements; name hash: 0x793e9c88

 

 

Regards

Karthik

thanks for your inputs!

Saqib Raza
Level 1
Level 1

The easy way would be to add new ACE with Objects and login to firewall from asdm, reorder the newly added ACE above the old one where you have ip.  Than monitor the hit count on that particular ace which will ensure that traffic is hitting it.  

After you see hit count going up you can safely remove old entries... this way you should not have any down time whatsoever 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: