Moving rules around on an ASA
SSH to the Cisco as normal and elevate your user level and move to a configure terminal:
Enter configuration terminal:
Now from here, you can do a show running config to see what rules are on the ASA
If you see rules that are not in the correct order, you can move them around. For example, let's say you have a deny rule on line 5, but line 3 is an allow all any any anywhere type rule. We will first have to delete line 5, and recreate our deny rule, and just give it a new line number:
#no access-list outside_access_in extended deny ip object-group DenyIP
#access-list outside_access_in line 2 extended deny ip object-group DenyIP
This will create that ACL and place it in line2. Line 1 is usually the rule for support access. Just use the appropriate line number and make sure the Deny rule is in place before any allow all type rules.
Do not forget to save your work!