Moving rules around on an ASA

 

SSH to the Cisco as normal and elevate your user level and move to a configure terminal:

$en

Enter configuration terminal:

$conf t

Now from here, you can do a show running config to see what rules are on the ASA

#sh ru

If you see rules that are not in the correct order, you can move them around.  For example, let's say you have a deny rule on line 5, but line 3 is an allow all any any anywhere type rule.  We will first have to delete line 5, and recreate our deny rule, and just give it a new line number:

 

#no access-list outside_access_in extended deny ip object-group DenyIP

#access-list outside_access_in line 2 extended deny ip object-group DenyIP

 

This will create that ACL and place it in line2.  Line 1 is usually the rule for support access.  Just use the appropriate line number and make sure the Deny rule is in place before any allow all type rules.

#wr mem

Do not forget to save your work!