Skip to main content

Edit Cisco ACL (unorder line after edit)

More
12 years 9 months ago #37831 by koslyr
I have a simple standard ACL in odrer to filter the access to vty lines. I want to edit the existing acl, so i add a new record to the specific ACL (40) with the lines info. After this action i gave the below show command and i found that the new record (with the line 83) became the first row in my ACL.

Why this is happened???


InternalRouter#show ip access-lists 40
Standard IP access list 40
83 permit 10.1.99.195
40 permit 195.251.16.252
50 permit 10.1.0.0, wildcard bits 0.0.0.255
60 permit 10.1.10.0, wildcard bits 0.0.0.255
82 permit 10.1.83.0, wildcard bits 0.0.0.255 (276 matches)

line vty 0 4
access-class 40 in
logging synchronous
login local
transport input ssh
More
12 years 9 months ago #37833 by Chris
koslyr,

If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.

Can you try it and let us know of the result ?

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
12 years 9 months ago - 12 years 9 months ago #37837 by skylimit
In addition to Chris' reply, I think what you need is a named access list. So that you change a specific access list entry using its line number. This way, the position is not changed after editing if this makes sense.

e.g.
Code:
In global config mode obviously, ip access-list standard testacl 10 permit ip host 1.2.3.4 20 permit ip host 1.1.3.4 30 permit ip host 1.3.3.4

So, to edit the second entry you just do like so:
Code:
ip access-list standard testacl no 20 20 permit ip host 3.3.3.3

sh ip access-list to see the change

what's more, you can even insert an ACL in a particular position without changing any existing entry like so:
Code:
ip access-list standard testacl 10 permit ip host 1.2.3.4 15 permit ip host 2.4.5.6 <==new line inserted 20 permit ip host 1.1.3.4 30 permit ip host 1.3.3.4

The numbers are the line numbers i think they are called.

hope this helps

&quot;...you are never too old to learn&quot; anon
Last edit: 12 years 9 months ago by skylimit.
The following user(s) said Thank You: next_virus
More
12 years 9 months ago #37845 by koslyr

Chris wrote: koslyr,
If you performed a 'show run' its most likely you'll see the entry at the bottom of your configuration, indicating that its correctly placed as expected.
Can you try it and let us know of the result ?

Also in the running-config the new entry rule of ACL is not placed at the end of the Access-List. Maybe i will try to change the ACL to named Access List
More
12 years 9 months ago #37846 by Chris
I agree with Skylimit - Names ACL's are the way to go - They are much more versatile and less restrictive when dealing with live routers where access lists can't simply be removed and re-inserted!

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
12 years 9 months ago #37847 by koslyr
Also i decided with the new named ACL for the VTY to use a more secure way to restrict the vty access.
For this reason i use a extended access-list:

ip access-list extended VTY-ACCESS
permit tcp host 10.1.83.36 host 10.1.0.1 eq 22

My static IP Address is: 10.1.83.36 and the mng IP Address of the cisco network device is: 10.1.0.1.

line vty 0 4
access-class VTY-ACCESS in
logging synchronous
login local
transport input ssh

But when i try to connect via ssh(with SecureCRT) i received the following message:
Network unreachable. This might indicate that you are not connected to the network, or might
indicate a problem exists on the network between your ISP and the destination host.
Time to create page: 0.134 seconds