Cleaning up Access Lists

Here is an access list I want to know if I can "clean up" :
access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical?  I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

Hi,
To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
show run access-group
You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
You can check what is in use with the command
show run crypto map
Hope this helps :)
- Jouni

Similar Messages

  • Thoroughly Confused with ADSM created access-lists when viewing ASA config

    Background:
    I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
    None of them ever removed any lines from the configuration, and none did any documentation.
    I have several basic questions, which show my ignorance.
    When examining the actual configuration from a CLI perspective:
    1. Does an ADSM-created access list end with any specific ADSM-added suffix?
    2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
    3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
    4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

    Actually, I don't think I ever made myself clear.
    I am working with a hard copy of the CLI.
    I have no acccess to the devices to run any commands, nor access to the ADSM.
    I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
    As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
    I have probably 10-15 different access lists in this config.
    Some look to be affiliated with specific ports. Some of these ports are up, some down.
    I have the same rule sets appearing in 3 separate access lists, in some cases.
    Of course, each of these 3 access lists is slightly different.
    Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
    An example:
    3 access lists:
    Prmary_Public_access_in
    Primary_Public_access_in_tmp
    Arin_Primary_Public_access_in
    Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
    Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
    Primary_Public_access_in does not appear to be directly associated with any one port
    So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

  • Ssh Access-list

    Hi,
    I want to create an access-list that will allow any host to ssh to the Management address of a switch but, only the
    Management address. Does this look like a clean way to do this?
    ip access-list extended SSH_ACCESS
    permit udp Management VLAN ip any eq 22
    permit tcp Management VLAN ip any eq 22
    deny udp any other switch ips eq 22
    deny tcp any other switch ips eq 22
    permit ip any any
    line vty 0 15
    ip access-group SSH_ACCESS
    Thank you, Pat.

    Hi
    In IOS Version 12.4 its work likes that only. Can anyone try this in IOS version 15?
    R2#
    R2#sh ip int br | i up
    FastEthernet0/0            192.168.10.2    YES manual up                    up
    R2#
    R2#
    R2#telnet 192.168.10.1 /so fa0/0
    Trying 192.168.10.1 ... Open
    R1#
    R1#
    R1#sh ip access-list 100
    Extended IP access list 100
        10 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet log
        20 permit tcp host 192.168.10.2 any eq telnet log (8 matches)
        30 permit tcp any any eq telnet log
    R1#
    R1#
    R1#
    R1#sh ver | i Version
    Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
    ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
    R1#

  • Add network object to access list

    Can someone please show me how to add existing network objects to existing access control lists in a network object group using the cli in the asa version 9.x on the inside interface? The source is an already existing network object and the destination is an existing network object group. Thanks.

    Hi,
    I am not entirely sure of what you are asking.
    What I undertood is that you have the following already
    An "access-list" that is attached to the "inside" interface
    An existing "object network " configured that will be used as the source for the "access-list" rule
    An existing "object-group network " configured that will be used as the destination for the "access-list" rule
    If the above is true then you would simply configure
    access-list permit ip object object-group
    The above though would permit all TCP/UDP traffic
    If you want to only allow specific ports for either TCP or UDP then you would use the format
    access-list permit tcp object object-group eq
    access-list permit udp object object-group eq
    Naturally if you want to allow multiple ports there would be further ways to group those ports together also inside "object-group" to make the configuration smaller/cleaner.
    Please let me know if you were looking for something else and I missunderstood
    Hope this helps
    - Jouni

  • ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

    Hi All,
    I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
    access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
    Is it matching the egress interface or what?

    Use the interface name rather than IP address to match traffic based
    on which interface is the source or destination of the traffic. You must
    specify the interface keyword instead of specifying the actual IP
    address in the ACL when the traffic source is a device interface. For
    example, you can use this option to block certain remote IP addresses
    from initiating a VPN session to the ASA by blocking ISAKMP. Any
    traffic originated from or destined to the ASA, itself, requires that you
    use the access-group command with the control-plane keyword.

  • Vpn site to site and remote access , access lists

    Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

    If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

  • How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

    Hellp Everyone,
    I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
    I want to allow the whole Intranet but few intranet websites also needs access to the internet.
    Can we create such Access-List with the above requirement.
    I tried to create the ACL on the switch but it blocks the whole internet access.
    i want to do it for a subnet not for a specific IP.
    Can someone help me in creating such access list.
    Thanks in Advance

    The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
    In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
    The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
    You would then use them as follows:
    ip access-list extended main_acl
    permit any object-group intranet any
    permit object-group allowed_servers object-group allowed_sites any
    interface vlan
    ip access-group main_acl in
    More details on the syntax and examples can be found here:
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

  • I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

    I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

    Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

  • I can no longer access listing variations in Ebay after the upgrade

    After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.

    Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.

  • IOS XR deny ace not supported in access list

    Hi everybody,
    We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
    interface TenGigE0/3/0/0
     cdp
     mtu 1568
     service-policy output TK-MPLS_TG
     ipv4 address 172.16.19.134 255.255.255.252
     mpls
      mtu 1568
    policy-map TK-MPLS_TG
    class class-default
      service-policy TK-MPLS_EDGE-WAN
      shape average 2000000000 bps
      bandwidth 2000000 kbps
    and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
    class-map match-any W_RTP
     match mpls experimental topmost 5
     match dscp ef
     end-class-map
    class-map match-any W_EMAIL
     match mpls experimental topmost 1
     match dscp cs1
     end-class-map
    class-map match-any W_VIDEO
     match mpls experimental topmost 4 3
     match dscp cs3 cs4
     end-class-map
    class-map match-any W_DATOS-CR
     match mpls experimental topmost 2
     match dscp cs2
     end-class-map
    class-map match-any W_AVAIL
     match mpls experimental topmost 0
     match dscp default
     end-class-map
    policy-map TK-MPLS_EDGE-WAN
    class W_RTP
      bandwidth percent 5
    class W_VIDEO
      bandwidth percent 5
    class W_DATOS-CR
      bandwidth percent 30
    class W_EMAIL
      bandwidth percent 15
    class W_AVAIL
      bandwidth percent 2
    class class-default
    end-policy-map
    what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
    ipv4 access-list PROXY-GIT-MEX
    10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
    20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
    30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
    40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
    50 permit tcp host 150.2.1.100 any
    60 permit tcp host 10.15.221.100 any
    policy-map EDGE-MEX3-PXY
     class C_PXY-GIT-MEX3
      police rate 300 mbps
     class class-default
     end-policy-map
    class-map match-any C_PXY-GIT-MEX3
     match access-group ipv4 PROXY-GIT-MEX
     end-class-map
    we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
    policy-map TK-MPLS_EDGE-WAN
    class W_RTP
      bandwidth percent 5
    class W_VIDEO
      bandwidth percent 5
    class W_DATOS-CR
      bandwidth percent 30
    class W_EMAIL
      bandwidth percent 15
    class W_AVAIL
      service-policy EDGE-MEX3-PXY
    class class-default
    end-policy-map
    and we get this:
    Wed Sep 17 18:35:36.537 UTC
    % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
    RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
    Wed Sep 17 18:35:49.662 UTC
    !! SEMANTIC ERRORS: This configuration was rejected by
    !! the system due to semantic errors. The individual
    !! errors with each failed configuration command can be
    !! found below.
    !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
    end
    Any  kind of help is very appreciated.

    That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
    unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
    if you have some traffic that you want to exclude you could do something like this:
    access-list PERMIT-ME
    1 permit
    2 permit
    3 permit
    access-list DENY-me
    !the exclude list
    1 permit
    2 permit
    3 permit
    policy-map X
    class DENY-ME
    <dont do anything> or set something rogue (like qos-group)
    class PERMIT-ME
    do here what you wanted to do as earlier.
    eventhough the permit and deny may be overlapping in terms of match.
    only the first class is matched here, DENY-ME.
    cheers!
    xander

  • Access list issues

    Hello,
    There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.
    The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
    Here is access list:
    ip access-list extended Quarantine_IN_L1
    permit icmp any any
    permit udp any any eq bootps
    permit udp any any eq bootpc
    permit upd any any eq domain
    permit tcp any eq 3389 any
    permit ip any host x.x.x.x (baseline server)
    permit ip any host x.x.x.x (share drive)
    permit ip any host x.x.x.x (domain controller)
    permit ip any host x.x.x.x (domain controller)
    ip access-list extended Quarantine_Out_L1
    permit icmp any any
    permit udp any any eq bootps
    permit udp any any eq bootpc
    permit udp any an any eq domain
    permit tcp any any eq 3389
    permit ip host (baseline server) any
    permit ip host (share drive) any
    permit ip host (domain controller) any
    permit ip host (domain controller) any
    As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.
    Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
    Thanks,
    Kiley

    Paul,
    When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:
    int vlan 500
    description BASELINE VLAN
    ip addres x.x.x.x x.x.x.x
    ip access-group Quarantine_IN_L1 in
    ip access-group Quarantine_Out_L1 out
    ip helper-address x.x.x.x
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    Thanks,
    Kiley

  • Static nat with port redirection 8.3 access-list using un-nat port?

    I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
    object network obj-10.1.1.5-06
    nat (inside,outside) static interface service tcp 3389 3398
    object network obj-10.1.1.5-06
    host 10.1.1.5
    access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
    access-group outside_access_in in interface outside
    So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
    Thanks in advance..

    Hello,
    I would be more than glad to explain you what is going on!
    The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
    After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
    Regards,
    Julio
    Rate helpful posts

  • Acl-name in access-list requirements

    Hi,
    I would ask about the acl-name in access-list,
    Does it act as a link between the ACL and an interface?
    or it could be written as any-thing, without any constrains?
    such as
    access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
    is it OK?
    or test_ACL should be defined somewhere prior using it in ACL?

    just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs.  Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map.  Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
    But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted?  If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
    Whether the ACL itself can be removed, I would assume it is safe to  remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name.  So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
    Please remember to select a correct answer and rate helpful posts

  • Access-List Process - Urgent Help

    Dear All,
    My question here in this forum , in the Process of :-
    1- Which Interface should I apply this Access-list ?
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    Now, My question is here :-
    Was I correct in choosing the Interface that I will apply this Access-list or not ?
    Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
    I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
    1. Fast Ethernet 0 / 0 :-
    Description : connected to My Network as MY LAN .
    IP Address of this Interface : 192.168.1.10 / 255.255.255.0
    2. Fast Ethernet 0 /1 :-
    Description : connected to Second Network on second Building.
    IP Address of this Interface : 172.16.20.10 / 255.255.0.0
    3. Serial Interface ( S 0 ).
    Description : connected to My Server Farm which is in another Network
    IP Address of this interface : 10.1.8.20 / 255.255.255.0.
    > No any serial interface or any serial connection at all on my 1841 Route.
    > The Default route on My Router is
    > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
    Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
    As anyone knows, its an Extended Access List.
    So I wrote it like that:-
    Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
    Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
    Router(config)# access-list 102 permit ip any any
    Process of choosing the interface :-
    1- Which Interface should I apply this Access-list ?
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    To answer and to understand the answer, for the 2 questions, here is my Process :-
    First Interface f 0 / 0 :-
    < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
    Second Interface f 0 / 1 :-
    < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
    Third Interface S0:-
    Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
    So, final answer will be as following :-
    1- Which Interface should I apply this Access-list ?
    ( Serial / 0 ) .
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    ( Outbound ) .
    Was I correct or not ? please some one is update me.

    The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

  • A possible bug related to the Cisco ASA "show access-list"?

    We encountered a strange problem in our ASA configuration.
    In the "show running-config":
    access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
    access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
    access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
    access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in extended permit ip object 172.31.254.2 any log
    access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
    access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
    access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in extended permit ip object windowsusageVM any log
    access-list inside_access_in extended permit ip any object testCSM-object
    access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in extended permit ip host 172.31.254.2 any log
    access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
    In the "show access-list":
    access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a                                                           3bacc1
    access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06                                                           85254a
    access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0                                                           x7e7ca5a7
    access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn                                                           t=0) 0x02a111af
    access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt                                                           =0) 0x19244261
    access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn                                                           t=0) 0x0dbff051
    access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7                                                           b798b0e
    access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
      access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
    access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
      access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
    access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
      access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
    access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
    access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
      access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
    access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
      access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
    access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
    access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
      access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
    access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
      access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
    access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
    access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
    access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
    There is a comment in the running config: (line 26)
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
    Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
    Thanks in advance.
    show version:
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 7.1(3)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fmciscoasa up 1 hour 56 mins
    Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

    Could be related to the following bug:
    CSCtq12090: ACL remark line is missing when range object is configured in ACL
    Fixed in 8.4(6), so update to a newer version and observe it again.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

Maybe you are looking for

  • How can I transfer songs from one computer to another

    How can I transfer songs from one computer to another

  • How can I set a value to an Object Array

    I am declaring an object variable like this: final Object[][] data = { {"Mary", new Integer(5)}, {"Alison", new Integer(3)}, {"Kathy", new Integer(2)}, {"Sharon", new Integer(20)}, {"Angela", new Integer(4)} And I would like to declare it like this:

  • Windows 7 and sysprep

    An annoyance.  I have a sysprep'd Windows 7 x64 Ghost image.  Prior to creating the image my setup workstation's computer name is set to "win7image".  My sysprep is configured so that all I have to do once I lay this image on another computer is to g

  • Execute BDC by xi scenario

    HI all, I have a requirement in which I have to execute BDC in ECC5.0 system, this is to be automatically done once the xi scenario is configured in XI Development server. In otherwords, once xi scenario is executed succesfully in xi development serv

  • Can't Download an app and want to get rid of msg

    I once choose to download an app. But I got the message that it could not download that app at that time, to try again later. Now every time I go to the app store I get the same message. I don't want to download the app any more. How can I make the m