09-18-2010 04:44 PM - edited 03-04-2019 09:48 AM
Hi all,
I have another question here.
I want to add remarks in an existing ACL. Can i do that without rewriting the entire access-list or do i have to remove it and create it again?
For instance I have this ACL
ip access-list extended NAT
deny ip host 192.168.5.6 10.100.100.0 0.0.0.255
deny ip host 192.168.5.7 any
permit ip any any
And i want to add the following lines:
ip access-list extended NAT
remark deny SMTP server from being NATed
deny ip host 192.168.5.6 10.100.100.0 0.0.0.255
remark deny web server from being NATed
deny ip host 192.168.5.7 any
remark NAT everything else
permit ip any any
Can i do that without any downtime? I have done it in ASA but when i try Cisco Configuration professional, the preview commands are
no ip access-list extended NAT
ip access-list extended NAT
remark deny SMTP server from being NATed
deny ip host 192.168.5.6 10.100.100.0 0.0.0.255
remark deny web server from being NATed
deny ip host 192.168.5.7 any
remark NAT everything else
permit ip any any
In which i want to avoid because it would cause downtime.
Solved! Go to Solution.
10-01-2010 02:53 AM
Hi,
I just tried with Cisco Configuration Professional.
I had the following config:
interface g0/1
ip addr 10.104.58.183 255.255.255.0
ip access-group test in
ip access-list extended test
deny ip host 10.104.58.164 any
permit ip any any
I am trying to ping 10.104.58.183 from host 10.104.58.164. (The ping works fine when there is no ACL test on intergace g0/0)
I discover the device through Cisco CP and edit the ACL test to configure the remark.
This is what is shown in the CLI preview:
no ip access-list extended test
ip access-list extended test
remark testing ACL
remark CCP_ACL Category=17
deny ip host 10.104.58.164 any
permit ip any any
exit
I did not see any downtime. I would have expoected ping from 10.104.58.164 to succeed while delivering the CLI but actually it didn't.
09-18-2010 05:51 PM
First, execute show ip access-list from the exec mode and note the line numbering on the access-list entries.
Second, enter in config mode and go into the access-list submode by typing ip access-list extended NAT
Third, when entering the command select a number that's between the line numbering from step 1. For instance:
10 deny ip host 192.168.5.6 10.100.100.0 0.0.0.255
20 deny ip host 192.168.5.7 any
30 permit ip any any
You would enter
5 remark deny SMTP server from being NATed
15 remark deny web server from being NATed
25 remark NAT everything else
Regards,
Edison
09-19-2010 12:00 AM
Thank you for your reply Edison ,
I have tried this but it does not work. Here is the output of the router.
LOGBG>sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 23-Mar-10 06:43 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
LOGBG uptime is 1 week, 4 days, 19 hours, 30 minutes
System returned to ROM by bus error at PC 0x4177FC80, address 0x931B at 14:19:32 EEST Tue Sep 7 2010
System restarted at 14:21:29 EEST Tue Sep 7 2010
System image file is "flash:c2800nm-advsecurityk9-mz.124-24.T3.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FCZ101470JQ
7 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
LOGBG>
LOGBG>en
Password:
LOGBG#sh ip ac
LOGBG#sh ip acce
LOGBG#sh ip access-lists NAT
Extended IP access list NAT
10 deny ip host 192.168.5.6 10.100.100.0 0.0.0.255
20 deny ip host 192.168.5.7 any (7867 matches)
30 permit ip host 192.168.5.6 any (409 matches)
40 permit ip host 192.168.7.9 any (11101 matches)
50 deny ip 192.168.0.0 0.0.0.255 10.2.0.0 0.0.255.255
60 deny ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.255.255
70 deny ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.255.255 (1745 matches)
80 deny ip 192.168.0.0 0.0.0.255 10.4.1.0 0.0.0.255
90 deny ip 192.168.1.0 0.0.0.255 10.4.1.0 0.0.0.255
100 deny ip 10.0.0.0 0.0.0.255 10.4.1.0 0.0.0.255
110 deny ip 192.168.0.0 0.0.0.255 10.11.1.0 0.0.0.255
120 deny ip 10.5.1.0 0.0.0.255 10.11.1.0 0.0.0.255
130 deny ip 192.168.0.0 0.0.0.255 10.12.1.0 0.0.0.255
140 deny ip 10.5.1.0 0.0.0.255 10.12.1.0 0.0.0.255
150 deny ip 192.168.0.0 0.0.0.255 10.6.1.0 0.0.0.255
160 deny ip 192.168.1.0 0.0.0.255 10.6.1.0 0.0.0.255
170 deny ip 10.0.0.0 0.0.0.255 10.6.1.0 0.0.0.255
180 deny ip 10.5.1.0 0.0.0.255 10.6.1.0 0.0.0.255
190 deny ip 192.168.0.0 0.0.1.255 10.1.0.0 0.0.255.255 (10 matches)
200 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.255.255
210 deny ip 10.5.1.0 0.0.0.255 10.1.0.0 0.0.255.255
220 deny ip 192.168.0.0 0.0.0.255 10.10.11.0 0.0.0.255
230 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 (10515 matches)
240 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255 (1882 matches)
250 deny ip 192.168.9.0 0.0.0.255 10.6.1.0 0.0.0.255
260 deny ip 192.168.0.0 0.0.0.255 10.8.1.0 0.0.0.255
270 deny ip 10.0.0.0 0.0.0.255 10.8.1.0 0.0.0.255
280 deny ip 192.168.0.0 0.0.1.255 10.9.1.0 0.0.0.255 (6 matches)
290 deny ip 10.0.0.0 0.0.0.255 10.9.1.0 0.0.0.255
300 deny ip 10.0.0.0 0.0.0.255 10.9.2.0 0.0.0.255
310 deny ip 192.168.0.0 0.0.0.255 10.3.1.0 0.0.0.255
320 deny ip 10.0.0.0 0.0.0.255 10.3.1.0 0.0.0.255
330 deny ip host 192.168.5.6 any
340 permit ip 192.168.0.0 0.0.0.255 any (299103 matches)
350 permit ip 192.168.2.0 0.0.0.255 any (13032 matches)
360 permit ip 192.168.5.0 0.0.0.255 any (1128894 matches)
370 permit ip 10.0.0.0 0.0.0.255 any (108396 matches)
380 permit ip 192.168.8.0 0.0.0.255 any
390 permit ip 192.168.7.0 0.0.0.255 any (2694 matches)
400 permit ip 192.168.9.0 0.0.0.255 any (73 matches)
410 permit ip 192.168.4.0 0.0.0.255 any (1205 matches)
420 permit ip 10.5.1.0 0.0.0.255 any (113377 matches)
430 permit ip 192.168.19.0 0.0.0.255 any
440 permit ip host 192.168.5.2 any
450 permit ip 192.168.124.0 0.0.0.255 any (19377 matches)
460 deny ip any any (2775174 matches)
LOGBG#sh run | i NAT
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source list NAT2 interface FastEthernet0/0 overload
ip access-list extended NAT
ip access-list extended NAT2
LOGBG#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LOGBG(config)#ip access-list extended NAT
LOGBG(config-ext-nacl)#5 remark do not NAT GPS server when going to network 10.100.100.0/24
^
% Invalid input detected at '^' marker.
LOGBG(config-ext-nacl)#5 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
permit Specify packets to forward
LOGBG(config-ext-nacl)#
do you think i may have hit a bug?
10-01-2010 02:28 AM
Hi,
For editing the ACL on the Router, I guess you will have to remove the ACL and reconfiugre it. I tried adding the Remarks after creating the extended ACL. Even though the CLI did not throw an error, the Remarks CLI was not accepted and it did not appear in the running config.
And when you issue a "no access-list" and configure it back, there will be a downtime
Thanks
Chaitra
10-01-2010 02:53 AM
Hi,
I just tried with Cisco Configuration Professional.
I had the following config:
interface g0/1
ip addr 10.104.58.183 255.255.255.0
ip access-group test in
ip access-list extended test
deny ip host 10.104.58.164 any
permit ip any any
I am trying to ping 10.104.58.183 from host 10.104.58.164. (The ping works fine when there is no ACL test on intergace g0/0)
I discover the device through Cisco CP and edit the ACL test to configure the remark.
This is what is shown in the CLI preview:
no ip access-list extended test
ip access-list extended test
remark testing ACL
remark CCP_ACL Category=17
deny ip host 10.104.58.164 any
permit ip any any
exit
I did not see any downtime. I would have expoected ping from 10.104.58.164 to succeed while delivering the CLI but actually it didn't.
10-01-2010 08:22 AM
If using the CLI consider installing a new ACL; this wont result in downtime.
Let's say your current ACL is 100 and the config looks something like this:
access-list 100 deny ip any 172.16.0.0 0.0.0.255
access-list 100 permit ip any any
int fa0/0
ip access-group 100 in
exit
Now we want to add a remark or additional rule; use another ACL.
access-list 101 remark *** FA0/0 Ingress ***
access-list 101 remark *** 20101001 ***
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 deny ip any 172.16.0.0 0.0.0.255
access-list 101 permit ip any any
int fa0/0
ip access-group 101 in
exit
This results in no downtime and gives you an opportunity to backout the change quickly if things don't work as anticipated. 30 days latter get rid of the old ACL.
Chris
10-01-2010 09:46 AM
Hi,
But of course! You are right. Replacing an access-list with an other in an interface cause no downtime. So this is the solution!
Thank you for your support and your time,
Nicos
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: