Cisco ASA Series Configuration Manual page 43

Chapter 3 Access Control Lists
If you want to further isolate the impact of editing ACLs, you can make your changes in a "configuration
session," which is an isolated mode that allows you to edit several ACEs and objects before explicitly
committing your changes. Thus, you can ensure that all of your intended changes are complete before
you change device behavior.
Before You Begin
You can edit ACLs that are referenced by an access-group command, but you cannot edit ACLs that
•
are referenced by any other command. You can also edit unreferenced ACLs or create new ones.
You can create or edit objects and object groups, but if you create one in a session, you cannot edit
•
it in the same session. If the object is not defined as desired, you must commit your changes and
then edit the object, or discard the entire session and start over.
When you edit an ACL that is referenced by an access-group command (access rules), the
•
transactional commit model is used when you commit the session. Thus, the ACL is completely
compiled before the new ACL replaces the old version.
• If you enable forward referencing of ACL and object names (the forward-reference enable
command), you can delete an ACL that is referenced by an access-group command (access rules),
and then recreate the ACL. When you commit changes, the new version of the ACL will be used
after compilation is complete. You can also create rules that refer to objects that do not exist, or
delete objects that are in use by access rules. However, you will get a commit error if you delete an
object used by other rules, such as NAT.
Procedure
Start the session.
Step 1
hostname#configure session session_name
hostname(config-s)#
If the session_name already exists, you open that session. Otherwise, you are creating a new session.
Use the show configuration session command to view the existing sessions. You can have at most 3
sessions active at a time. If you need to delete an old unused session, use the clear configuration session
session_name command.
If you cannot open an existing session because someone else is editing it, you can clear the flag that
indicates the session is being edited. Do this only if you are certain the session is not actually being
edited. Use the clear session session_name access command to reset the flag.
(Uncommitted sessions only.) Make your changes. You can use the following basic commands with any
Step 2
of their parameters:
access-list
•
object
•
object-group
•
Decide what to do with the session. The commands available depend on whether you have previously
Step 3
committed the session. Possible commands are:
exit—To simply exit the session without committing or discarding changes, so that you can return
•
later.
commit [noconfirm [revert-save | config-save]]—(Uncommitted sessions only.) To commit your
•
changes. You are asked if you want to save the session. You can save the revert session (revert-save),
which lets you undo your changes using the revert command, or the configuration session
(config-save), which includes all of the changes made in the session (allowing you to commit the
Edit ACLs in an Isolated Configuration Session
Cisco ASA Series Firewall CLI Configuration Guide
3-19