No announcement yet.

ASA access-list command error

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA access-list command error

    Hi I have a config for access lists on an ASA 5505 ver 8.2(1)as shown in the attached file. Please note the line numbers...

    I understand from my ASA handbook that I should be able to specify the line number so that for example if I wanted to insert a new entry at line 5 I could do like this for example, and it should insert in line 5 and move all other entries down one line automatically.

    ASA-5505# access-list outside_in_070809a line 5 extended permit tcp any interface outside eq 3389

    However, when do that I get an error "Warning duplicate element" and it doesn't take effect.

    Why does this not work and is there a way to re-order the entries?
    Attached Files

  • #2
    Re: ASA access-list command error

    I've never known it to work like that.
    I don't have an ASA in front of me to test at the moment but from memory, the line has to be unused before you can assign. Don't think it will automatically rearrange.


    • #3
      Re: ASA access-list command error

      Yeah it should take the existing line 5 and push it down to line 6 etc. Not sure why its working but you can always copy the acl to notepad, make your changes and reapply it.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)


      • #4
        Re: ASA access-list command error

        Hmm.. I've been in a networking coma for awhile, so I didn't know this was possible.

        I found this: "You can remove and insert individual lines of an ACL but you cannot edit lines, in place, on the router."


        Looking at your configuration, you have a line 5 in place. Seems as if the ASA believes you are trying to edit the line instead of insert it. If you know that you will NOT be adding more lines, then you don't need to skip numbers. If you probably will at some point, I would give myself 10 or so spaces between each entry or try a "line 5.1" configuration.

        Let me know if this works because I'm really interested in the results.


        Edit: Also (from what I remember, forgive me if I am wrong), there is an implied deny any any at the end of every ACL so you could probably get rid of your existing line 5 and replace it.
        Last edited by Sixgauge; 14th July 2010, 14:52.


        • #5
          Re: ASA access-list command error

          Yups you should be able to do that with an ASA.
          If you have asdm in place you can see if you are using the correct syntax. At least if you enable preview commands in the options menu.

          Not sure though why it doesn't work,but maybe it's an bug in your current software version or an incorrect syntax or so although it seems right.
          Technical Consultant

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"


          • #6
            Re: ASA access-list command error

            That error means that the rule "access-list outside_in_070809a extended permit tcp any interface outside eq 3389" is already in the access-list you are modifying. Please notice that I removed the "line 5" keywords out.

            To verify whether or not the ACL is already entered, type the following in "enable mode"

            sh run | i 3389

            Just my $.02