access-list remarks

Answered Question
Sep 18th, 2010
User Badges:

Hi all,


I have another question here.


I want to add remarks in an existing ACL. Can i do that without rewriting the entire access-list or do i have to remove it and create it again?


For instance I have this ACL


ip access-list extended NAT
deny   ip host 192.168.5.6 10.100.100.0 0.0.0.255
deny   ip host 192.168.5.7 any
permit ip any any


And i want to add the following lines:


ip access-list extended NAT

remark deny SMTP server from being NATed

  deny   ip host 192.168.5.6 10.100.100.0 0.0.0.255

remark deny web server from being NATed
deny   ip host 192.168.5.7 any

remark NAT everything else
  permit ip any any


Can i do that without any downtime? I have done it in ASA but when i try Cisco Configuration professional, the preview commands are


no ip access-list extended NAT

ip access-list extended NAT

remark deny SMTP server from being NATed

  deny   ip host 192.168.5.6 10.100.100.0 0.0.0.255

remark deny web server from being NATed
  deny   ip host 192.168.5.7 any

remark NAT everything else
  permit ip any any


In which i want to avoid because it would cause downtime.

Correct Answer by chaitram about 6 years 7 months ago

Hi,

  I just tried with Cisco Configuration Professional.


I had the following config:


interface g0/1

ip addr 10.104.58.183 255.255.255.0

ip access-group test in


ip access-list extended test
deny   ip host 10.104.58.164 any
permit ip any any



I am trying to ping 10.104.58.183 from host 10.104.58.164. (The ping works fine when there is no ACL test on intergace g0/0)


I discover the device through Cisco CP and edit the ACL test to configure the remark.


This is what is shown in the CLI preview:


no ip access-list extended test
ip access-list extended test
remark testing ACL
remark CCP_ACL Category=17
deny ip host 10.104.58.164 any
permit ip any any
exit


I did not see any downtime. I would have expoected ping from 10.104.58.164 to succeed while delivering the CLI but actually it didn't.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Sat, 09/18/2010 - 17:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

First, execute show ip access-list from the exec mode and note the line numbering on the access-list entries.

Second, enter in config mode and go into the access-list submode by typing ip access-list extended NAT

Third, when entering the command select a number that's between the line numbering from step 1. For instance:


10 deny   ip host 192.168.5.6 10.100.100.0 0.0.0.255
20 deny   ip host 192.168.5.7 any
30 permit ip any any


You would enter


5 remark deny SMTP server from being NATed

15 remark deny web server from being NATed

25 remark NAT everything else



Regards,


Edison

Nikos Nicolaides Sun, 09/19/2010 - 00:00
User Badges:

Thank you for your reply Edison ,



I have tried this but it does not work. Here is the output of the router.


LOGBG>sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 23-Mar-10 06:43 by prod_rel_team


ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)


LOGBG uptime is 1 week, 4 days, 19 hours, 30 minutes
System returned to ROM by bus error at PC 0x4177FC80, address 0x931B at 14:19:32 EEST Tue Sep 7 2010
System restarted at 14:21:29 EEST Tue Sep 7 2010
System image file is "flash:c2800nm-advsecurityk9-mz.124-24.T3.bin"



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to
[email protected].


Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FCZ101470JQ
7 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)


Configuration register is 0x2102


LOGBG>
LOGBG>en
Password:
LOGBG#sh ip ac
LOGBG#sh ip acce
LOGBG#sh ip access-lists NAT
Extended IP access list NAT
    10 deny ip host 192.168.5.6 10.100.100.0 0.0.0.255
    20 deny ip host 192.168.5.7 any (7867 matches)
    30 permit ip host 192.168.5.6 any (409 matches)
    40 permit ip host 192.168.7.9 any (11101 matches)
    50 deny ip 192.168.0.0 0.0.0.255 10.2.0.0 0.0.255.255
    60 deny ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.255.255
    70 deny ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.255.255 (1745 matches)
    80 deny ip 192.168.0.0 0.0.0.255 10.4.1.0 0.0.0.255
    90 deny ip 192.168.1.0 0.0.0.255 10.4.1.0 0.0.0.255
    100 deny ip 10.0.0.0 0.0.0.255 10.4.1.0 0.0.0.255
    110 deny ip 192.168.0.0 0.0.0.255 10.11.1.0 0.0.0.255
    120 deny ip 10.5.1.0 0.0.0.255 10.11.1.0 0.0.0.255
    130 deny ip 192.168.0.0 0.0.0.255 10.12.1.0 0.0.0.255
    140 deny ip 10.5.1.0 0.0.0.255 10.12.1.0 0.0.0.255
    150 deny ip 192.168.0.0 0.0.0.255 10.6.1.0 0.0.0.255
    160 deny ip 192.168.1.0 0.0.0.255 10.6.1.0 0.0.0.255
    170 deny ip 10.0.0.0 0.0.0.255 10.6.1.0 0.0.0.255
    180 deny ip 10.5.1.0 0.0.0.255 10.6.1.0 0.0.0.255
    190 deny ip 192.168.0.0 0.0.1.255 10.1.0.0 0.0.255.255 (10 matches)
    200 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    210 deny ip 10.5.1.0 0.0.0.255 10.1.0.0 0.0.255.255
    220 deny ip 192.168.0.0 0.0.0.255 10.10.11.0 0.0.0.255
    230 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 (10515 matches)
    240 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 (1882 matches)
    250 deny ip 192.168.9.0 0.0.0.255 10.6.1.0 0.0.0.255
    260 deny ip 192.168.0.0 0.0.0.255 10.8.1.0 0.0.0.255
    270 deny ip 10.0.0.0 0.0.0.255 10.8.1.0 0.0.0.255
    280 deny ip 192.168.0.0 0.0.1.255 10.9.1.0 0.0.0.255 (6 matches)
    290 deny ip 10.0.0.0 0.0.0.255 10.9.1.0 0.0.0.255
    300 deny ip 10.0.0.0 0.0.0.255 10.9.2.0 0.0.0.255
    310 deny ip 192.168.0.0 0.0.0.255 10.3.1.0 0.0.0.255
    320 deny ip 10.0.0.0 0.0.0.255 10.3.1.0 0.0.0.255
    330 deny ip host 192.168.5.6 any
    340 permit ip 192.168.0.0 0.0.0.255 any (299103 matches)
    350 permit ip 192.168.2.0 0.0.0.255 any (13032 matches)
    360 permit ip 192.168.5.0 0.0.0.255 any (1128894 matches)
    370 permit ip 10.0.0.0 0.0.0.255 any (108396 matches)
    380 permit ip 192.168.8.0 0.0.0.255 any
    390 permit ip 192.168.7.0 0.0.0.255 any (2694 matches)
    400 permit ip 192.168.9.0 0.0.0.255 any (73 matches)
    410 permit ip 192.168.4.0 0.0.0.255 any (1205 matches)
    420 permit ip 10.5.1.0 0.0.0.255 any (113377 matches)
    430 permit ip 192.168.19.0 0.0.0.255 any
    440 permit ip host 192.168.5.2 any
    450 permit ip 192.168.124.0 0.0.0.255 any (19377 matches)
    460 deny ip any any (2775174 matches)
LOGBG#sh run | i NAT
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source list NAT2 interface FastEthernet0/0 overload
ip access-list extended NAT
ip access-list extended NAT2
LOGBG#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
LOGBG(config)#ip access-list extended NAT
LOGBG(config-ext-nacl)#5 remark do not NAT GPS server when going to network 10.100.100.0/24
                         ^
% Invalid input detected at '^' marker.


LOGBG(config-ext-nacl)#5 ?
  deny      Specify packets to reject
  dynamic   Specify a DYNAMIC list of PERMITs or DENYs
  evaluate  Evaluate an access list
  exit      Exit from access-list configuration mode
  permit    Specify packets to forward


LOGBG(config-ext-nacl)#



do you think i may have hit a bug?

chaitram Fri, 10/01/2010 - 02:28
User Badges:

Hi,

    For editing the ACL on the Router, I guess you will have to remove the ACL and reconfiugre it. I tried adding the Remarks after creating the extended ACL. Even though the CLI did not throw an error, the Remarks CLI was not accepted and it did not appear in the running config.


And when you issue a "no access-list" and configure it back, there will be a downtime


Thanks

Chaitra

Correct Answer
chaitram Fri, 10/01/2010 - 02:53
User Badges:

Hi,

  I just tried with Cisco Configuration Professional.


I had the following config:


interface g0/1

ip addr 10.104.58.183 255.255.255.0

ip access-group test in


ip access-list extended test
deny   ip host 10.104.58.164 any
permit ip any any



I am trying to ping 10.104.58.183 from host 10.104.58.164. (The ping works fine when there is no ACL test on intergace g0/0)


I discover the device through Cisco CP and edit the ACL test to configure the remark.


This is what is shown in the CLI preview:


no ip access-list extended test
ip access-list extended test
remark testing ACL
remark CCP_ACL Category=17
deny ip host 10.104.58.164 any
permit ip any any
exit


I did not see any downtime. I would have expoected ping from 10.104.58.164 to succeed while delivering the CLI but actually it didn't.

gatlin007 Fri, 10/01/2010 - 08:22
User Badges:
  • Silver, 250 points or more

If using the CLI consider installing a new ACL; this wont result in downtime.

Let's say your current ACL is 100 and the config looks something like this:

access-list 100 deny ip any 172.16.0.0 0.0.0.255
access-list 100 permit ip any any

int fa0/0
ip access-group 100 in
exit


Now we want to add a remark or additional rule; use another ACL.

access-list 101 remark *** FA0/0 Ingress ***

access-list 101 remark *** 20101001 ***
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 deny ip any 172.16.0.0 0.0.0.255
access-list 101 permit ip any any

int fa0/0
ip access-group 101 in
exit

This results in no downtime and gives you an opportunity to backout the change quickly if things don't work as anticipated.  30 days latter get rid of the old ACL.


Chris

Nikos Nicolaides Fri, 10/01/2010 - 09:46
User Badges:

Hi,



But of course! You are right. Replacing an access-list with an other in an interface cause no downtime. So this is the solution!



Thank you for your support and your time,


Nicos

Actions

This Discussion

Related Content