Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

temporarily disable rules?

What's the best way you have found to temporarily disable certain rules in an ASA config (8.2.1). AFAIK there is no way to comment out a line in an ACL....So if we have a SQL connection that we need to open up from time to time (but are not comfortable leaving open permanently) whats the best way to do this?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: temporarily disable rules?

In 8.x you have the ability to disable certain aces.

6 REPLIES
Hall of Fame Super Blue

Re: temporarily disable rules?

Chris

2 ways that i have used

1) have a copy of the acl with a different name in the config and without the SQL line and then simply apply whichever acl you want to use at the time to the relevant interface

2) You can specify line numbers in acls so you can do

no access-list line SQL rule

and then when you want to allow it simply add it back in

access-list line SQL rule

Jon

New Member

Re: temporarily disable rules?

Actually you just gave me another idea....

Maybe I will put it in the ACL as line 10 or something and then put the same rule with a deny action as line 9. When I want to use it I remove the deny, and when I am done I re-add the deny (which is simple since im just copying the existing line and changing permit to deny)

Hall of Fame Super Blue

Re: temporarily disable rules?

Chris

Yes that would work as well, just make sure you get the line numbers correct or you could allow when you mean to deny and vice-versa.

Jon

New Member

Re: temporarily disable rules?

In 8.x you have the ability to disable certain aces.

New Member

Re: temporarily disable rules?

how?

New Member

Re: temporarily disable rules?

found it:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1540321

inactive

(Optional) Disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make reenabling easier.

cool

2001
Views
0
Helpful
6
Replies