Monday, March 9, 2015

HOWTO set a cisco ASA firewall policy in a inactive state

When working with policies on the cisco ASA firewall, you sometimes needs to disable a fwpolicy. This beats setting up a denial or removing the policy.


The easiest way to  take a policy and is to change the status to inactive to accomplish a disable state. The policy will still be install but will not match or deny.

e.g

access-list EXTERNAL-in extended permit udp host 1.1.1.1 object RAD01 eq 1812


and now;

access-list EXTERNAL-in extended permit udp host 1.1.1.1.1 object RAD01  eq 1812 inactive


This is the easiest method for ensuring the firewall policy will not be enabled.


You might want to run packet-tracer to ensure that no other configure firewall acl is allowing traffic




Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

No comments:

Post a Comment