Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Edit Cisco ACL (unorder line after edit)

Edit Cisco ACL (unorder line after edit) 4 years 7 months ago #37831

  • koslyr
  • koslyr's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
I have a simple standard ACL in odrer to filter the access to vty lines. I want to edit the existing acl, so i add a new record to the specific ACL (40) with the lines info. After this action i gave the below show command and i found that the new record (with the line 83) became the first row in my ACL.

Why this is happened???


InternalRouter#show ip access-lists 40
Standard IP access list 40
83 permit 10.1.99.195
40 permit 195.251.16.252
50 permit 10.1.0.0, wildcard bits 0.0.0.255
60 permit 10.1.10.0, wildcard bits 0.0.0.255
82 permit 10.1.83.0, wildcard bits 0.0.0.255 (276 matches)

line vty 0 4
access-class 40 in
logging synchronous
login local
transport input ssh
The administrator has disabled public write access.

Edit Cisco ACL (unorder line after edit) 4 years 7 months ago #37833

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
koslyr,

If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.

Can you try it and let us know of the result ?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Edit Cisco ACL (unorder line after edit) 4 years 7 months ago #37837

  • skylimit
  • skylimit's Avatar
  • Offline
  • Distinguished Member
  • Posts: 158
  • Thank you received: 1
  • Karma: 0
In addition to Chris' reply, I think what you need is a named access list. So that you change a specific access list entry using its line number. This way, the position is not changed after editing if this makes sense.

e.g.
In global config mode obviously,

ip access-list standard testacl
10 permit ip host 1.2.3.4 
20 permit ip host 1.1.3.4 
30 permit ip host 1.3.3.4 

So, to edit the second entry you just do like so:
ip access-list standard testacl
no 20
20 permit ip host 3.3.3.3 

sh ip access-list to see the change

what's more, you can even insert an ACL in a particular position without changing any existing entry like so:
ip access-list standard testacl
10 permit ip host 1.2.3.4 
15 permit ip host 2.4.5.6 <==new line inserted
20 permit ip host 1.1.3.4 
30 permit ip host 1.3.3.4 

The numbers are the line numbers i think they are called.

hope this helps
"...you are never too old to learn" anon
Last Edit: 4 years 7 months ago by skylimit.
The administrator has disabled public write access.
The following user(s) said Thank You: next_virus

Re: Edit Cisco ACL (unorder line after edit) 4 years 7 months ago #37845

  • koslyr
  • koslyr's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
Chris wrote:
koslyr,
If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.
Can you try it and let us know of the result ?
Also in the running-config the new entry rule of ACL is not placed at the end of the Access-List. Maybe i will try to change the ACL to named Access List
The administrator has disabled public write access.

Re: Edit Cisco ACL (unorder line after edit) 4 years 7 months ago #37846

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
I agree with Skylimit - Names ACL's are the way to go - They are much more versatile and less restrictive when dealing with live routers where access lists can't simply be removed and re-inserted!
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Edit Cisco ACL (unorder line after edit) 4 years 7 months ago #37847

  • koslyr
  • koslyr's Avatar
  • Offline
  • Frequent Member
  • Posts: 20
  • Karma: 0
Also i decided with the new named ACL for the VTY to use a more secure way to restrict the vty access.
For this reason i use a extended access-list:
ip access-list extended VTY-ACCESS
permit tcp host 10.1.83.36 host 10.1.0.1 eq 22
My static IP Address is: 10.1.83.36 and the mng IP Address of the cisco network device is: 10.1.0.1.
line vty 0 4
access-class VTY-ACCESS in
logging synchronous
login local
transport input ssh
But when i try to connect via ssh(with SecureCRT) i received the following message:
Network unreachable. This might indicate that you are not connected to the network, or might
indicate a problem exists on the network between your ISP and the destination host.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup