Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access list on firewall

can we use numbering in access list on firewall say line access-list 120 permit.......

7 REPLIES

Re: access list on firewall

PIX/ASA allows you to either use ACL with name or number (standard/extended). Normally, extended ACL is recommended as you can have more control and specify src/destination address and port.

The ACL syntax is as follow:

hostname(config)# access-list access_list_name [line line_number] [extended]

{deny | permit} protocol source_address mask [operator port] dest_address mask

[operator port | icmp_type] [inactive]

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450bf0.html#wp1074600

If you use PDM/ASDM to create ACL, by default, it will use name. You can use ACL with number when configuring it from CLI.

Sample config ACL with number:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080624e19.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

HTH

AK

New Member

Re: access list on firewall

thanks, here comes my ques.if numbered ACL is used then how can we have the features of named ACL say like removing an entry in the middle? this is not possible in numbered ACL know whareas it's possible to reove an entry in named ACL.

Cisco Employee

Re: access list on firewall

Yes you can, please check below:

Use the access-list id line line-num command to insert an access-list command statement, and the no access-list id line line-num command to delete an access-list command statement.

Each access control element (ACE) and remark has an associated line number. Line numbers can be used to insert or delete elements at any position in an access list. These numbers are maintained internally in increasing order starting from 1. (For example, in sequence such as 1, 2, 3...) A user can insert a new entry between two consecutive ACEs by choosing the line number of the higher line number ACE.

The line numbers are always maintained in increasing order, with an individual line number for each ACE. However, all ACEs resulting from a single object group access-list command statement have a single line number. Consequently, you cannot insert an ACE in the middle of object-group ACEs.

Line numbers are displayed by the show access-list command. However, they are not shown in your configuration.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

Hope it helps

Franco Zamora

Re: access list on firewall

Numbered and Named ACL are two different things. You should use only one, and cannot mixed both.

As for removing lines in ACL, i.e middle entry, you can check that particular ACL line number using 'sh access-list' or 'sh access-list '.

Example:

firewall(config)# sh access-list dmz

access-list dmz turbo-configured; 448 elements

access-list dmz line 1 deny udp any any eq 12345 (hitcnt=0)

access-list dmz line 2 deny tcp any any eq 12345 (hitcnt=0)

access-list dmz line 3 permit ip host SERVER001 host MON_010 eq ftp

access-list dmz line 4 permit ip host SERVER001 host 10.1.4.10 (hitcnt=7)

access-list dmz line 5 permit ip host SERVER001 host 10.1.4.15 (hitcnt=0)

access-list dmz line 6 permit tcp host SERVER001 host SVR_ONE eq 123 (hitcnt=186532)

access-list dmz line 7 permit tcp host SERVER_OP host SVR_ONE eq telnet(hitcnt=186532)

To remove certain line, use:

access-list id [line line-num] {deny | permit

no access-list dmz line 5 permit tcp host SERVER001 host 10.1.4.15 eq https

To add ACL into:

access-list dmz line 5 permit tcp host SERVER001 host 10.1.4.100 eq https

HTH

AK

New Member

Re: access list on firewall

hello all i think i didnt mention correctly

ques is can the access-list id itself can be a numbered one say like access-list 120 permit ip any any...on a firewall with the features of named ACL too.

Re: access list on firewall

Correct me if I am wrong on your question.

You can only use one ACL (and bind) per interface, and cannot mix named ACL and numbered ACL that wish to bind on an interface. Use either one.

But you're allowed to use numbered ACL and named ACL for different interfaces, i.e

outside: access-list 100

dmz: access-list DMZ

inside: access-list inside_access_out

HTH

AK

New Member

Re: access list on firewall

Hi,

You are right in router named access list and number access list is different and removing an entry in only named access-list is possible

However in PIX/ASA you have line number which is next to name or number of access-list which counts. So you can delete an entry in both the cases with Firewall/ASA

Rate if it helps

567
Views
4
Helpful
7
Replies
CreatePlease to create content