Unlock Free Cisco Lessons - No Credit Card Needed!Sign up for Free
You are here: Home » Cisco » ASA Firewall

Cisco ASA Remove Access-List

If you want to remove an access-list from a Cisco ASA Firewall then you’ll find out that removing it doesn’t work the same as on Cisco IOS routers or switches. Let me give you an example of creating an access-list and then try to remove it:

ASA1(config)# access-list MY_ACL permit ip any host 192.168.1.1
ASA1(config)# access-list MY_ACL permit ip any host 192.168.1.2
ASA1(config)# access-list MY_ACL permit ip any host 192.168.1.3
ASA1(config)# show access-list MY_ACL
access-list MY_ACL; 3 elements; name hash: 0x88151b6c
access-list MY_ACL line 1 extended permit ip any host 192.168.1.1 (hitcnt=0) 0x78efec90 
access-list MY_ACL line 2 extended permit ip any host 192.168.1.2 (hitcnt=0) 0x74d90efe 
access-list MY_ACL line 3 extended permit ip any host 192.168.1.3 (hitcnt=0) 0xa4113df3

I just created a simple access-list with a couple of entries. Let’s try to delete it like you would on normal IOS:

ASA1(config)# no access-list MY_ACL
ERROR: % Incomplete command

Using “no” in front of it doesn’t work…the ASA thinks that we want to remove a single entry, not delete the entire access-list. The following command will work:

Create a FREE Account - No Credit Card Needed

Here's what you'll get when you register now:

  • Get Instant Access to 334 full lessons.
  • Learn CCNA, CCNP and CCIE R&S. Explained as simple as possible.
  • Unlock Access to 809 lessons by becoming a member.
  • Content created by Rene Molenaar (CCIE #41726)
Sign up for Free - in just 1 Minute ►
🔥 2254 people registered in the last 30 days

Tags: ,

Forum Replies

  1. Where is the command ?

  2. Which one are you looking for?

    clear configure access-list MY_ACL is to get rid of the access-list.

  3. Hi Rene

    your command will remove all MY_ACL
    what if I want to remove only one access list 192.168.1.2 and keep the other two?
    please show how

    Thank you

  4. Hi Hoan,

    If you want to remove a single statement, you can do it like this:

    ASA1# show run access-list 
access-list MY_ACL extended permit ip any host 192.168.1.1 
access-list MY_ACL extended permit ip any host 192.168.1.2 
access-list MY_ACL extended permit ip any host 192.168.1.3

    Let’s remove the middle statement:

    ASA1(config)# no access-list MY_ACL extended permit ip any host 192.168.1.2

    And verify our work:

    ASA1# show run access-list                                         
access-list MY_ACL extended permit ip any host 192.168.1.1 
access-list MY_ACL exte
    ... Continue reading in our forum

1 more reply! Ask a question or join the discussion by visiting our Community Forum