cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10219
Views
0
Helpful
2
Replies

Disable Access lists on CISCO Router

rumhyvarghese
Level 1
Level 1

Good Day Sir,

How can I disable access lists on the WAN interface (fa0/0) of a Cisco Router? Actually our ISP wants to connect to the router for doing some configuration. This is just temporary. Please do tell me how to disable the access list and to enable them back again.

This is the configuration:

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.252

ip access-group 100 in

ip access-group 101 out

no ip mroute-cache

duplex full

speed 100

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

access-list 100 permit ip any any

access-list 101 permit ip 195.141.59.64 0.0.0.15 any

access-list 101 permit ip 195.141.192.0 0.0.0.31 any

access-list 101 permit ip 217.147.223.192 0.0.0.63 any

access-list 101 permit ip host 217.147.208.1 any

access-list 101 deny ip any any log

Best Regards,

Rumhy Sam Varghese

2 Replies 2

m.volodko
Level 1
Level 1

Hello.

For disable just delete string "ip access-group 100 in " in interface configuration. For enable put it again.

Advice: it not correct way to do this. May be you can just open specific port (ssh) for your ISP?

Hi,

Only allow ISP specific management IP block for ssh or any other port they need access using your existing acl.

1. Create new ACL 103 which include allowing ssh access to your ISP and apply it to F0/0 interface.

or

2. Insert new ACE into your existing ACL.

!

! An example to insert ACE

! Your ACL

r1#sh access-lists 100

Extended IP access list 100

10 deny ip 10.0.0.0 0.255.255.255 any log

20 deny ip 172.16.0.0 0.15.255.255 any log

30 deny ip 192.168.0.0 0.0.255.255 any log

40 permit ip any any

! Add ACE above seq 10

r1#conf t

r1(config)#ip access-list extended 100

r1(config-ext-nacl)#9 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.1 eq 22

r1(config-ext-nacl)#^Z

! Verify ACE

r1#sh access-lists 100

Extended IP access list 100

9 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.1 eq 22

10 deny ip 10.0.0.0 0.255.255.255 any log

20 deny ip 172.16.0.0 0.15.255.255 any log

30 deny ip 192.168.0.0 0.0.255.255 any log

40 permit ip any any

r1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

! Remove ACE

r1(config)#ip access-list extended 100

r1(config-ext-nacl)#no 9

! verify it has been removed.

r1(config-ext-nacl)#do sh access-list 100

Extended IP access list 100

10 deny ip 10.0.0.0 0.255.255.255 any log

20 deny ip 172.16.0.0 0.15.255.255 any log

30 deny ip 192.168.0.0 0.0.255.255 any log

40 permit ip any any

r1(config-ext-nacl)#

Regards,

-Shahzad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco