[heading]Cisco ASA’s:[/heading]
The first thing you want to do is look at the ACL line numbers by entering the “sh access-list” command:
KC-ASA01# sh access-list acl_outside access-list acl_outside; 2 elements; name hash: 0xdcd74233 access-list acl_outside line 1 extended permit tcp any host 24.200.10.190 eq www (hitcnt=1006) 0xc4c35c85 access-list acl_outside line 2 extended permit tcp any host 24.200.10.191 eq www (hitcnt=23855) 0xd290c0e4 KC-ASA01#
Here’s a look at the ACL from the “sh run” command:
KC-ASA01# sh run | inc acl_outside access-list acl_outside extended permit tcp any host 24.200.10.190 eq www access-list acl_outside extended permit tcp any host 24.200.10.191 eq www KC-ASA01#
You see there are two access list entries for the access-list acl_outside. Now lets say you want to add a new access list entry to the top. You want it to be number 1. All you do is create an access list with the “line 1” in it like this:
KC-ASA01(config)#access-list acl_outside line 1 extended permit tcp any host 24.200.10.192 eq www
Simple. You just tell the ASA what line you want to put the new access list entry and it adds it to that line and shifts all the other entries.
Now when you enter the “sh access-list” command you will see your new entry on the top a number 1. You can also see the total number of entries at the top of the list:
KC-ASA01# sh access-list acl_outside access-list acl_outside; 3 elements; name hash: 0xdcd74233 access-list acl_outside line 1 extended permit tcp any host 24.200.10.192 eq www (hitcnt=5) 0x3a3105fe access-list acl_outside line 2 extended permit tcp any host 24.200.10.190 eq www (hitcnt=1006) 0xc4c35c85 access-list acl_outside line 3 extended permit tcp any host 24.200.10.191 eq www (hitcnt=23855) 0xd290c0e4 KC-ASA01#
Here’s another look at the ACL from the “sh run” command:
KC-ASA01# sh run | inc acl_outside access-list acl_outside extended permit tcp any host 24.200.10.192 eq www access-list acl_outside extended permit tcp any host 24.200.10.190 eq www access-list acl_outside extended permit tcp any host 24.200.10.191 eq www KC-ASA01#
[heading]Cisco Switches & Routers:[/heading]
Look at the ACL line numbers by entering the “sh access-list” command just like the ASA:
KC-RT01#sh access-list 101
Extended IP access list 101
10 permit tcp any host 172.16.200.100 eq www
20 permit tcp any host 172.16.200.101 eq www
A “sh run” look at the entries:
KC-RT01#sh run | inc 101 access-list 101 permit tcp any host 172.16.200.100 eq www access-list 101 permit tcp any host 172.16.200.101 eq www
The difference between the two is that the ASA is listed in order from 1 through how many entries you have. You are simply telling the ASA at which line you want to add the entry. So if you want the new entry to be on line 3, then you configure it for line 3.
For the Switches and Routers, you see that there is spacing between the numbers. You want to make sure that the new entry falls before or after that number. In my example I wanted the entry to be on top. The top line number was 10. So I added one using 5 which put the entry on top. If I tried to use 10, the device would alert you with “% Duplicate sequence number” and the entry will NOT be added.
For the Switches and Router, NOT the ASA, you have enter into the extended ACL configuration mode to ADD and DELETE entries.
KC-RT01(config)#ip access-list ext 101 KC-RT01(config-ext-nacl)# KC-RT01(config-ext-nacl)#5 permit tcp any host 172.16.200.102 eq www
[note color="#fdeb56"]
You can delete specific lines here by issuing the NO command. If you tried to do the NO command just like the ASA from the global configuration mode, the switch/router will LOOSE ALL entries! [/note]
Here’s a look after the entry was configured:
KC-RT01#sh access-list 101
Extended IP access list 101
5 permit tcp any host 172.16.200.100 eq www
10 permit tcp any host 172.16.200.100 eq www
20 permit tcp any host 172.16.200.101 eq www
KC-RT01#sh run | inc 101 access-list 101 permit tcp any host 172.16.200.102 eq www access-list 101 permit tcp any host 172.16.200.100 eq www access-list 101 permit tcp any host 172.16.200.101 eq www