09-23-2009 02:36 AM - edited 03-06-2019 07:50 AM
Hello all,
On this (12.4(24)T1 IOS Firewall, after some successfull Acl updates, now, new ones do not appear anymore
cisco2821#sh access-list Acl_DmzSec
Extended IP access list Acl_DmzSec
20 permit object-group OGs_Standard any any (7 matches)
30 permit icmp any any
40 permit 112 any host 224.0.0.18
50 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.26 (308 matches)
60 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 (94 matches)
70 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzRev (47 matches)
80 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzProxySig (13 matches)
90 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_Externe (138499 matches)
100 permit tcp host 172.19.201.1 object-group OGn_Externe eq www (1119 matches)
110 permit udp host 172.19.201.1 object-group OGn_DmzProxySig eq ntp
120 permit udp host 172.19.201.1 object-group OGn_Externe eq ntp (132 matches)
130 permit tcp host 172.19.201.1 object-group OGn_DmzProxySig eq 3128
140 permit tcp host 172.19.201.1 host 172.17.202.61 eq smtp
150 permit tcp host 172.19.201.1 object-group OGn_Externe eq smtp
cisco2821#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco2821(config)#ip access-list extended Acl_DmzSec
cisco2821(config-ext-nacl)#10 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102
cisco2821(config-ext-nacl)#end
cisco2821#sh access-list Acl_DmzSec
Extended IP access list Acl_DmzSec
20 permit object-group OGs_Standard any any (7 matches)
30 permit icmp any any
40 permit 112 any host 224.0.0.18
50 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.26 (308 matches)
60 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 (94 matches)
70 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzRev (47 matches)
80 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzProxySig (13 matches)
90 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_Externe (138956 matches)
100 permit tcp host 172.19.201.1 object-group OGn_Externe eq www (1119 matches)
110 permit udp host 172.19.201.1 object-group OGn_DmzProxySig eq ntp
120 permit udp host 172.19.201.1 object-group OGn_Externe eq ntp (132 matches)
130 permit tcp host 172.19.201.1 object-group OGn_DmzProxySig eq 3128
140 permit tcp host 172.19.201.1 host 172.17.202.61 eq smtp
150 permit tcp host 172.19.201.1 object-group OGn_Externe eq smtp
If I reload, it will do it again, but users will surely be angry
Regards,
Alain
09-23-2009 03:41 AM
Hello,
Your entire ACL consists only of permit-type entries. In this case, the recent IOSes might actually change the order of entries to better suit the internal evaluation of the entire ACL. Note that the entry you are trying to add is identical to the entry number 60. I am not surprised that while the command is accepted, it does not change the logic of the entire ACL and because it is only a duplicate of an existing entry, it is not actually added to your ACL.
Best regards,
Peter
09-23-2009 04:03 AM
Hello,
Thank you for your answer.
I did not verify that this ACE was existing elsewhere in this Acl.
But one question remains:
Can you change the order of ACE when you see they are more frequently used ?
In this case, do I have to do
ip access-list extended Acl....
no 60
10 permit ....
Couldn't it be easier by just changing ACE sequence number ?
Regards
Alain
09-23-2009 04:37 AM
Hi Alain,
Personally, I don't know if there is any quick way to renumber an existing ACL entry. Perhaps someone else here will be able to answer but I do it the same way as you do: remove the old entry and reenter it with a new sequence number.
Best regards,
Peter
09-25-2009 01:15 PM
HI Peter,
Why IOS couldn't automatically optimize Acl processing by autoresequencing them rather than doing it manually ?
It could be a background task running at periodic moments when packet counters become significant.
It is just an idea to submit
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide