Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can you disable a single line within ACL?

We have 881g on 15.1 code with a ZBFW.

Within an ACL, ip access-list extended blah, with multiple lines, 10,20,30,etc... is there a way to disable a single line or make it inactive while still leaving it in config? Don't see it in there, not sure if it's not possible or I'm not looking at the right things.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can you disable a single line within ACL?

There is no 'inactive' like on the ASA. A work around would be to do something like

remark permit tcp any any eq smtp established log

It keeps it in the config, but it doesn't do anything since it's a remark.

4 REPLIES

Re: Can you disable a single line within ACL?

View the ACL (show access-list)

FIREWALL#sh access-list inbound

Extended IP access list inbound

    10 deny ip 0.0.0.0 0.255.255.255 any log

    20 deny ip host 255.255.255.255 any log

    30 permit tcp any any eq smtp established log

    40 deny ip 127.0.0.0 0.255.255.255 any log

Then go into the ACL and remove the line you want.

FIREWALL#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

FIREWALL(config)#ip access-list ext inbound

FIREWALL(config-ext-nacl)#no 30 permit tcp any any eq smtp established log

FIREWALL(config-ext-nacl)#end

FIREWALL#sh access-list inbound

Extended IP access list inbound

    10 deny ip 0.0.0.0 0.255.255.255 any log

    20 deny ip host 255.255.255.255 any log

    40 deny ip 127.0.0.0 0.255.255.255 any log

    50 deny ip 10.0.0.0 0.255.255.255 any log

New Member

Re: Can you disable a single line within ACL?

Thanks, I know how to remove a line within the ACL, but that is not what I'm looking for. I still want the line to be in there, just inactive. Similar to how you can specify an ACE on an ASA with the 'inactive' word at the end. Is this possible with router running ZBFW on 15.1 code?

Re: Can you disable a single line within ACL?

There is no 'inactive' like on the ASA. A work around would be to do something like

remark permit tcp any any eq smtp established log

It keeps it in the config, but it doesn't do anything since it's a remark.

New Member

Re: Can you disable a single line within ACL?

Thanks Collin looks like that is the closest we're going to get.

753
Views
0
Helpful
4
Replies