13793

How can I insert a line into an existing ACL or modify existing ACL in general? Cisco F...
Page 1 of 4
site Search:
Go
login register
Home
Reviews
All FAQs
Tools
Site FAQ
Forums
DSL FAQ
FAQs
Find Service
Distance
ISP News
DSL Hurdles
Maps
About
Cable Tech
About DSL
Search for:
in all FAQs
Go
All FAQs Cisco Forum FAQ 40.1 NAT/VPN/ACL/CBAC/Firewall How can I insert a line into an existing ACL or modify existing ACL in general?
Introduction This FAQ discuss some options in regards to modify existing ACL on routers in general, and specifically inserting lines into existing ACL. Though the term router is used, this concept applies to any Cisco IOS-based platform including switches and AP (Access Point). Into some extent, the concept also applies to Cisco firewall (PIX and ASA) and Nexus switches running NX-OS. Most CCNA books say modifying existing ACL or inserting lines into existing ACL can't be done....well that shows you shouldn't believe everything you read :) Option 1: IOS image supports ACL line number If the IOS image running on the router supports ACL line number, then following is the procedure you can follow. First do a show access-list at the exec prompt Note the line numbering in the required access-list e.g.:
1 2 3 extended IP access-list 115 10 access-list 115 deny ip host 222.222.222.222 any 20 access-list 115 permit ip any any
This Section
Minimum and Maximum NAT Timeouts Generic NAT configuration (RFC 1631) NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices Working with invalid network design or poor network implementation How can I insert a line into an existing ACL or modify existing ACL in general? How do I NAT a TCP port range without entering a seperate NAT for each port? Considerations of using non-RFC1918 IP address for internal network Policy NAT IDS/IPS Solutions
Then enter config mode and insert the line you want to add, prefixing it with the appropriate number to position it where you want in the list (substitute standard for extended in the example below if you are working with a standard ACL):
1 2 3 4 conf ter ip access-list extended 115 15 deny ip host 111.111.111.111 any end
how-to block ads
If you repeat the show access-list you should find the deny just where you want it ;)
1 2 3 4 extended IP access-list 115 10 access-list 115 deny ip host 222.222.222.222 any 15 access-list 115 deny ip host 111.111.111.111 any 20 access-list 115 permit ip any any
Below is a full example with a named extended ACL

1 2 3 4 5 6 7 8 router#show access-list Extended IP access list to-internet 10 deny udp any any eq netbios-dgm (17226 matches) 20 deny udp any any eq netbios-ns (6648 matches) 30 deny udp any any eq netbios-ss 40 deny tcp any any eq 137 50 deny tcp any any eq 138 60 deny tcp any any eq 139
http://www.dslreports.com/faq/13793
6/4/2013
Page 2 of 4
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
70 deny udp any any eq 445 80 deny tcp any any eq 445 90 deny udp any any eq 593 100 deny tcp any any eq 593 110 permit ip any any (152039 matches) router#conf ter Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip access-list ext to-internet router(config-ext-nacl)#25 permit ip any host 1.1.1.1 router(config-ext-nacl)#exit router(config)#exit router# router#show access-list Extended IP access list to-internet 10 deny udp any any eq netbios-dgm (17226 matches) 20 deny udp any any eq netbios-ns (6648 matches) 25 permit ip any host 1.1.1.1 30 deny udp any any eq netbios-ss 40 deny tcp any any eq 137 50 deny tcp any any eq 138 60 deny tcp any any eq 139 70 deny udp any any eq 445 80 deny tcp any any eq 445 90 deny udp any any eq 593 100 deny tcp any any eq 593 110 permit ip any any (152039 matches)
The suggested next step is to renumber the access-list starting from 10 by step of 10 using the following command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 router#conf ter Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip access-list resequence to-internet 10 10 router(config)#exit router# router#show access-list Extended IP access list to-internet 10 deny udp any any eq netbios-dgm (17226 matches) 20 deny udp any any eq netbios-ns (6648 matches) 30 permit ip any host 1.1.1.1 40 deny udp any any eq netbios-ss 50 deny tcp any any eq 137 60 deny tcp any any eq 138 70 deny tcp any any eq 139 80 deny udp any any eq 445 90 deny tcp any any eq 445 100 deny udp any any eq 593 110 deny tcp any any eq 593 120 permit ip any any (152039 matches)
This method has been tested with both IOS 12.3 and 12.4 and works with standard, extended, numbered and named ACLs. Note that on older IOS image version, you may have to issue service linenumber command to activate the ACL line numbering. In newer IOS image version, this command is already activated by default; therefore there is no need to reissue the command. Option 2: IOS image does not support ACL line number When the router IOS image does not support ACL line number, then following is the procedure you can follow. 1. 2. 3. 4. 5. 6. 7. 8. Copy the ACL into a text editor (i.e. Notepad on Windows or vi on UNIX). On the text editor, insert the ACL line. Verify that your work is correct and will not bring down production time. On router, unapply the ACL temporarily off the router. Remove the ACL off the router. Copy the updated ACL from the text editor into the router. Verify that the router already have the updated ACL. When the router does have the updated ACL, reapply the ACL as existing condition.
Illustration You have the following on your router

1 2 3 4 5 6 interface Ethernet0 ip address 1.1.1.1 255.255.255.0 ip access-group 100 in ! access-list 100 permit udp any eq 53 any access-list 100 permit tcp any any established
6/4/2013
Page 3 of 4
access-list 100 deny ip any any
You need to have the ACL 100 to look like the following
1 2 3 4 access-list access-list access-list access-list 100 100 100 100 permit tcp any any eq 80 permit udp any eq 53 any permit tcp any any established deny ip any any
Following the above steps, here are what you should do 1. Copy the existing ACL 100 and paste to your text editor Tips: Let's say your Notepad as the text editor. On the router, highlight the access list. Copy the highlighted and paste to Notepad. 2. On the text editor, insert the ACL line (the "access-list 100 permit tcp any any eq 80") access-list access-list access-list access-list 100 100 100 100 permit tcp any any eq 80 permit udp any eq 53 any permit tcp any any established deny ip any any
3. Verify that the updated ACL 100 on the text editor is correct and will not bring down production time. This means that access-list line order is proper which should not block legitimate traffic and only block illegitimate one. 4. On router, unapply the ACL temporarily off the router.
1 2 3 configure terminal interface Ethernet0 no ip access-group 100 in
5. Remove the ACL off the router

1 no access-list 100
6. Copy the updated ACL from the text editor and paste into the router. Tips: Let's say you use Notepad as the text editor. On the Notepad, you should have the following
1 2 3 4 5 6 conf t access-list access-list access-list access-list end
100 100 100 100
permit tcp any any eq 80 permit udp any eq 53 any permit tcp any any established deny ip any any
Have the router to be at global configuration mode, like following Router# Highlight all of the above command lines on the Notepad (from "conf t" to "end"), select copy of the highlighted and paste to the router. 7. Verify that the router already have the updated ACL.
1 show access-list 100
8. When the router does have the updated ACL, reapply the ACL as existing condition back to the interface
1 2 3 4 configure terminal interface Ethernet0 ip access-group 100 in end
6/4/2013
Page 4 of 4
Note: The illustration assumes that the ACL 100 is only applied to a single interface. When the same ACL is applied to multiple interfaces, you need to unapply and reapply the ACL on all interfaces. In addition, keep in mind that you can lock yourself out of a router by making a mistake when working with ACLs. Worse, your ACL work could bring production time down. If you are working remotely and it is possible to reload the router afterward, it is particularly important that you consider issuing a reload in x command where x is the number of minutes that will pass before the router will reload itself. Then if you lock yourself out you know the router will be reset within x minutes. When you are happy the changes are correct you can write the new config and cancel the reload with reload cancel. Note that a router reload brings down network, so you may want to have some kind of authorized work window as previously stated. When it it not possible to reload and you are working remotely, then you should have out-of-band access as alternate access. This out-of-band access is a dedicated line that goes directly to the router console port. A lot of out-of-band access is setup using analog dialup modem via POTS line; although many organizations also use Frame Relay, DSL, or cable modem for faster access. Important Note: Of any configuration changes, there should be considerations of impact to production time. In general, ACL change may bring down production time. ACL modification process could also bring in unwanted incoming traffic from the Internet, which then might bring down some system. With that in mind, a consideration that an ACL modification process is to take place after hours or during off-hours is in order. Depending on the environment you are working on, you may need some approval from authorized people or your manager to make any changes and to get authorized work window. Options on this FAQ are not meant to be real-live implementation, especially in production network; rather it is intended as illustrations of possible ways of modifying ACL. Certain companies have their own standard and methodologies in regards of modifying existing ACL or of any configuration changes, which you should be aware of. If you are unaware of such, consult your manager prior any work.
Used Cisco - 50-90% Off

www.Zeriva.com Free 90 day IOS Config Support Free Shipping - No Hassle Returns
got feedback? Fantastic, thanks a ton! This has saved me from several trips to remote sites. 2011-08-03 18:04:04 spot on, very helpfull 2009-06-22 06:27:57 Perfect, very very helpful 2011-03-04 16:17:14 Thank you for the information! It was very helpful! 2011-07-09 23:00:29 Hats off to whoever wrote this. The explanation is really great for amateurs like me! Easy to understand ! Thanks dude! 2012-08-24 03:45:05 helps alot, thanks so much 2013-01-28 06:36:45 thank you 2013-03-26 06:01:10 by Phraxos edited by aryoba last modified: 2013-03-26 11:41:44
Tuesday, 04-Jun 17:05:38 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 13.5 years online 1999-2013 dslreports.com.
6/4/2013

13793

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

13793

Enviado por

Direitos autorais:

Formatos disponíveis

How can I insert a line into an existing ACL or modify existing ACL in general? Cisco F...

how-to block ads

Below is a full example with a named extended ACL

Illustration You have the following on your router

access-list 100 deny ip any any

5. Remove the ACL off the router

100 100 100 100

Used Cisco - 50-90% Off

Você também pode gostar