09-03-2007 07:10 AM - edited 03-05-2019 06:15 PM
Good Day Sir,
How can I disable access lists on the WAN interface (fa0/0) of a Cisco Router? Actually our ISP wants to connect to the router for doing some configuration. This is just temporary. Please do tell me how to disable the access list and to enable them back again.
This is the configuration:
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.252
ip access-group 100 in
ip access-group 101 out
no ip mroute-cache
duplex full
speed 100
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
access-list 101 permit ip 195.141.59.64 0.0.0.15 any
access-list 101 permit ip 195.141.192.0 0.0.0.31 any
access-list 101 permit ip 217.147.223.192 0.0.0.63 any
access-list 101 permit ip host 217.147.208.1 any
access-list 101 deny ip any any log
Best Regards,
Rumhy Sam Varghese
09-03-2007 07:19 AM
Hello.
For disable just delete string "ip access-group 100 in " in interface configuration. For enable put it again.
Advice: it not correct way to do this. May be you can just open specific port (ssh) for your ISP?
09-03-2007 08:47 AM
Hi,
Only allow ISP specific management IP block for ssh or any other port they need access using your existing acl.
1. Create new ACL 103 which include allowing ssh access to your ISP and apply it to F0/0 interface.
or
2. Insert new ACE into your existing ACL.
!
! An example to insert ACE
! Your ACL
r1#sh access-lists 100
Extended IP access list 100
10 deny ip 10.0.0.0 0.255.255.255 any log
20 deny ip 172.16.0.0 0.15.255.255 any log
30 deny ip 192.168.0.0 0.0.255.255 any log
40 permit ip any any
! Add ACE above seq 10
r1#conf t
r1(config)#ip access-list extended 100
r1(config-ext-nacl)#9 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.1 eq 22
r1(config-ext-nacl)#^Z
! Verify ACE
r1#sh access-lists 100
Extended IP access list 100
9 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.1 eq 22
10 deny ip 10.0.0.0 0.255.255.255 any log
20 deny ip 172.16.0.0 0.15.255.255 any log
30 deny ip 192.168.0.0 0.0.255.255 any log
40 permit ip any any
r1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
! Remove ACE
r1(config)#ip access-list extended 100
r1(config-ext-nacl)#no 9
! verify it has been removed.
r1(config-ext-nacl)#do sh access-list 100
Extended IP access list 100
10 deny ip 10.0.0.0 0.255.255.255 any log
20 deny ip 172.16.0.0 0.15.255.255 any log
30 deny ip 192.168.0.0 0.0.255.255 any log
40 permit ip any any
r1(config-ext-nacl)#
Regards,
-Shahzad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: