Editing a Cisco ASA ACL

[seepy83]

I've got an ASA running software ver. 8.0(3). All of the programming on it was done by an outside vendor, and when it was initially programmed we had a server that we needed to block internet access to.

Now we need to give that server internet access again, and I can see the line in the config where they denied it (access-list in-fw-out extended deny ip host 10.10.10.10 any).

I really don't want to pay a vendor $100+ to remove one line from the ACL. Can someone tell me the proper way to go about removing this line?

Thanks!

 

[spidey07]

With almost all IOS you can just do a no in front of the command to remove it. Make sure you back up your config first if you aren't familiar.

Be careful if you just did a "no access-list in-fw-out" that would remove the entire ACL. Do "no ENTIRE COMMAND LINE"

 

[Pantlegz]

I'm pretty sure you change deny to allow, that's the way ACL's in the routers work, I don't get to play with ASA's till this fall.

Or.. Spidey types faster than I do...

 

[seepy83]

Thanks...

I wish I had a spare to test on

 

[spidey07]

Originally posted by: Pantlegz1
I'm pretty sure you change deny to allow, that's the way ACL's in the routers work, I don't get to play with ASA's till this fall.

Or.. Spidey types faster than I do...

doh, good point.

With an ACL it denies everything unless you specifically allow it.

 

[mcmilljb]

Or you could just make an new access list, and they then try editing to see how it responds to different commands. You probably could use a no command and only specify the line number you want to remove.

 

[Pheran]

On the ASA you can remove an ACL line easily, just put "no" in front of the line as it appears in the config.

PS: Don't forget the "wr" (or "copy run start" if you really want to type more) to save the config after doing this.

 

[Pheran]

Originally posted by: spidey07
Be careful if you just did a "no access-list in-fw-out" that would remove the entire ACL. Do "no ENTIRE COMMAND LINE"

Actually that will not happen on an ASA, you'll get an error. You have to use the "clear configure access-list ..." command for that.

 

[Pheran]

Originally posted by: spidey07

Originally posted by: Pantlegz1
I'm pretty sure you change deny to allow, that's the way ACL's in the routers work, I don't get to play with ASA's till this fall.

Or.. Spidey types faster than I do...

doh, good point.

With an ACL it denies everything unless you specifically allow it.

I'm assuming there's some kind of permit statement later in this ACL, otherwise there's no reason for the line in question to exist at all.

 

[Pantlegz]

All ACL's have a default deny any any at the end that doesn't show up. Basically if you don't tell it to allow it, it gets blocked. This is on routers of course as I don't have any ASA exp but it would make sense if they were both the same. If you have a few weeks I'll get back to ya with the answer

 

[Pheran]

Originally posted by: Pantlegz1
All ACL's have a default deny any any at the end that doesn't show up. Basically if you don't tell it to allow it, it gets blocked. This is on routers of course as I don't have any ASA exp but it would make sense if they were both the same. If you have a few weeks I'll get back to ya with the answer

Yes, ASA ACLs are also default-deny. However, it's a bad idea to assume that an ASA will act just like an IOS router because in many cases they do not.

By the way, the ASA has a very cool command called "packet-tracer" that allows you to simulate the flow of any packet through the appliance, and it will tell you whether or not it will get blocked and why.

 

[seepy83]

Originally posted by: Pheran

Originally posted by: spidey07

Originally posted by: Pantlegz1
I'm pretty sure you change deny to allow, that's the way ACL's in the routers work, I don't get to play with ASA's till this fall.

Or.. Spidey types faster than I do...

doh, good point.

With an ACL it denies everything unless you specifically allow it.

I'm assuming there's some kind of permit statement later in this ACL, otherwise there's no reason for the line in question to exist at all.

indeed, there was a permit later in the config.

thanks for the help everyone.

 

[sactwnguy]

In the future you might want to try running the graphical ASDM to manage your ASA. I almost always prefer command line but on Pix/ASA the access-lists can become a pain to manage.

 

[seepy83]

Originally posted by: sactwnguy
In the future you might want to try running the graphical ASDM to manage your ASA. I almost always prefer command line but on Pix/ASA the access-lists can become a pain to manage.

No chance in hell

If I'm going to take the time to learn it, it's going to be CLI. I've looked at the ASDM before, and I'm really not a fan of it. Command Line/txt configs are very straight-forward...if you know the product/IOS, then it's all there for you to read.

 

[spidey07]

Just to chime in, I'm as command line as they come. I hate to use a gui anything on networking gear. But some of the cisco appliances it really is better to use the GUI, like the ASA, ACE, GSLB.

But even then one really should know the command line because you will have to get in there to do certain things and really see what is going on with the config.

 

[dphantom]

Originally posted by: spidey07
Just to chime in, I'm as command line as they come. I hate to use a gui anything on networking gear. But some of the cisco appliances it really is better to use the GUI, like the ASA, ACE, GSLB.

But even then one really should know the command line because you will have to get in there to do certain things and really see what is going on with the config.

Have to agree here. GUI for my ASA and command line for my 4506e and other switches. I go to the command line in the ASA if the GUI doesn't support the command or I need to dig deep to see what a problem may be.

 

[ScottFern]

This may be much easier to do in ASDM?