Is there a "dry run" mode for access lists before apply

Hello all,

I'm relatively new in Cisco administration, so if my question seems to be evident, or if the answer is already in a printed manual, thanks to answer to me anyway. I'm frustrated each time I ask a question on this group without answer.

Also, English is not my mother-tong language. Now, the problem :

After properly configured a static NAT on a Cisco ASA 5510, I'd like to create access lists, based on roles, using object-groups.

For instance, service object groups called web servers, mail servers, database servers, etc. These object groups will be linked with object groups called mails users, storage customers, administrators, etc... using access lists.

I hope it's clear.

Now, I have two questions :

  1. Is this approach is good. I'd like to just add an IP address into an object group without need to reconfigure access lists.

  1. Is there a way to apply an access-list for debug, without activating the final blocking or rejection. A sort of dry-run, that make me sure that I'll not break my remote connection for administration.

For instance, when I use iptables with Linux, the last rule of incoming traffic is log, and I fix the Policy flag to drop only when I'm sure that I can continue to administrate the server remotely.

Thanks, André Rodier.

Reply to
André Rodi
Loading thread data ...

I am not familiar with the Cisco ASA 5510 however on a router which has many similarities - and some deadly differences - it would be possible to create the ACL with only permit statements (remember the permit any any at the end) and to log the ACL matches.

Once you were happy recast with deny where required.

this would be pretty tedious and error prone though.

look for

access-list x permit any any log

sort of thing.

Reply to

Thank you Bod43, I'll try that.

Reply to
André Rodi Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.