- Posts: 20
- Thank you received: 0
Edit Cisco ACL (unorder line after edit)
12 years 9 months ago #37831
by koslyr
Edit Cisco ACL (unorder line after edit) was created by koslyr
I have a simple standard ACL in odrer to filter the access to vty lines. I want to edit the existing acl, so i add a new record to the specific ACL (40) with the lines info. After this action i gave the below show command and i found that the new record (with the line 83) became the first row in my ACL.
Why this is happened???
InternalRouter#show ip access-lists 40
Standard IP access list 40
83 permit 10.1.99.195
40 permit 195.251.16.252
50 permit 10.1.0.0, wildcard bits 0.0.0.255
60 permit 10.1.10.0, wildcard bits 0.0.0.255
82 permit 10.1.83.0, wildcard bits 0.0.0.255 (276 matches)
line vty 0 4
access-class 40 in
logging synchronous
login local
transport input ssh
Why this is happened???
InternalRouter#show ip access-lists 40
Standard IP access list 40
83 permit 10.1.99.195
40 permit 195.251.16.252
50 permit 10.1.0.0, wildcard bits 0.0.0.255
60 permit 10.1.10.0, wildcard bits 0.0.0.255
82 permit 10.1.83.0, wildcard bits 0.0.0.255 (276 matches)
line vty 0 4
access-class 40 in
logging synchronous
login local
transport input ssh
12 years 9 months ago #37833
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Edit Cisco ACL (unorder line after edit)
koslyr,
If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.
Can you try it and let us know of the result ?
If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.
Can you try it and let us know of the result ?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
12 years 9 months ago - 12 years 9 months ago #37837
by skylimit
"...you are never too old to learn" anon
Replied by skylimit on topic Re: Edit Cisco ACL (unorder line after edit)
In addition to Chris' reply, I think what you need is a named access list. So that you change a specific access list entry using its line number. This way, the position is not changed after editing if this makes sense.
e.g.
So, to edit the second entry you just do like so:
sh ip access-list to see the change
what's more, you can even insert an ACL in a particular position without changing any existing entry like so:
The numbers are the line numbers i think they are called.
hope this helps
e.g.
Code:
In global config mode obviously,
ip access-list standard testacl
10 permit ip host 1.2.3.4
20 permit ip host 1.1.3.4
30 permit ip host 1.3.3.4
So, to edit the second entry you just do like so:
Code:
ip access-list standard testacl
no 20
20 permit ip host 3.3.3.3
sh ip access-list to see the change
what's more, you can even insert an ACL in a particular position without changing any existing entry like so:
Code:
ip access-list standard testacl
10 permit ip host 1.2.3.4
15 permit ip host 2.4.5.6 <==new line inserted
20 permit ip host 1.1.3.4
30 permit ip host 1.3.3.4
The numbers are the line numbers i think they are called.
hope this helps
"...you are never too old to learn" anon
Last edit: 12 years 9 months ago by skylimit.
The following user(s) said Thank You: next_virus
12 years 9 months ago #37845
by koslyr
Replied by koslyr on topic Re: Edit Cisco ACL (unorder line after edit)
Also in the running-config the new entry rule of ACL is not placed at the end of the Access-List. Maybe i will try to change the ACL to named Access ListChris wrote: koslyr,
If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.
Can you try it and let us know of the result ?
12 years 9 months ago #37846
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Edit Cisco ACL (unorder line after edit)
I agree with Skylimit - Names ACL's are the way to go - They are much more versatile and less restrictive when dealing with live routers where access lists can't simply be removed and re-inserted!
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
12 years 9 months ago #37847
by koslyr
Replied by koslyr on topic Re: Edit Cisco ACL (unorder line after edit)
Also i decided with the new named ACL for the VTY to use a more secure way to restrict the vty access.
For this reason i use a extended access-list:
Network unreachable. This might indicate that you are not connected to the network, or might
indicate a problem exists on the network between your ISP and the destination host.
For this reason i use a extended access-list:
My static IP Address is: 10.1.83.36 and the mng IP Address of the cisco network device is: 10.1.0.1.ip access-list extended VTY-ACCESS
permit tcp host 10.1.83.36 host 10.1.0.1 eq 22
But when i try to connect via ssh(with SecureCRT) i received the following message:line vty 0 4
access-class VTY-ACCESS in
logging synchronous
login local
transport input ssh
Network unreachable. This might indicate that you are not connected to the network, or might
indicate a problem exists on the network between your ISP and the destination host.
Time to create page: 0.133 seconds