new context, was not able to add an acl

GeorgeS · March 17, 2016, 05:10:00 PM

Well today i had a big project where i was configuring a new context +++, i will stick in the fw as i had the following issue. I put the basic config and then i added 1 acl for 1 zone, acl was assigned to the interface properly also. Then i tried to add the 2nd acl for a 2nd zone but i was getting an error like do not mix acl or whatever. I am sorry that i do not remember the error i will check tomorrow and i will post it here but after 12 hours of work my brain was like agrhhhhh. To sum up, i was so frustrated and for 90 minutes i was struggling, i was not able to add any acl there just remarks!!! I tried from asdm the same.

So i decided to delete the context and i followed the same steps!!! It worked as it was supposed to. Has anyone seen a similar behavior? First time i have seen it.

deanwebb · March 17, 2016, 09:25:27 PM

What kind of firewall is it?

GeorgeS · March 18, 2016, 05:28:19 AM

this was the error

Code Select

ERROR: Cannot mix different types of access lists

@Dean is an ASA 5585, version 9.3

deanwebb · March 18, 2016, 08:28:49 AM

Did the ACL mix TCP and UDP ports? If they're all together in a service group, that should not be a problem. But if they're in separate groups, then they need to be in separate rules... or have the groups added to a service group.

GeorgeS · March 18, 2016, 09:15:49 AM

actually the first rule was permit icmp any4 any4 group-icmp
where in the group icmp i have the echo/reply/unreachable and exceeded

i even tried later adding a permit ip host host

no luck

so i deleted the context + the configuration file , followed the same steps and everything worked like charm

deanwebb · March 18, 2016, 10:07:20 AM

Honestly, I don't do a lot with contexts. Deleting them sounds like the right way to go.

new context, was not able to add an acl

GeorgeS

deanwebb

GeorgeS

deanwebb

GeorgeS

deanwebb