08-25-2008 01:43 PM - edited 02-20-2020 09:40 PM
An access-list has been configured on a router to block an IP address. Can can additional IP addresses be added to the original access-list at a later time?
ex.
(config)#access-list 5 deny 10.10.117.0 0.0.0.255
(config)#access-list 5 permit any
Can we use access-list 5 to block additional IPs or do we have to create a new access-list?
Solved! Go to Solution.
08-25-2008 05:03 PM
ofcourse u can
lets take this example
R2#sh ip access-lists
standard IP access list 5
10 deny 10.10.117.0 0.0.0.255
20 permit any
u can do like
R2(config)#ip access-list standard 5
R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end
then start puting the deny statments as u want
like
(config)#access-list 5 deny 10.10.118.0 0.0.0.255
(config)#access-list 5 deny 10.10.119.0 0.0.0.255
then put ur permit
(config)#access-list 5 permit any
keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL
so the permit any will solve it
good luck
please, if helpful Rate
08-26-2008 04:58 AM
Said
I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.
Jon
08-25-2008 05:03 PM
ofcourse u can
lets take this example
R2#sh ip access-lists
standard IP access list 5
10 deny 10.10.117.0 0.0.0.255
20 permit any
u can do like
R2(config)#ip access-list standard 5
R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end
then start puting the deny statments as u want
like
(config)#access-list 5 deny 10.10.118.0 0.0.0.255
(config)#access-list 5 deny 10.10.119.0 0.0.0.255
then put ur permit
(config)#access-list 5 permit any
keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL
so the permit any will solve it
good luck
please, if helpful Rate
08-26-2008 07:08 AM
Before receiving your answers, I went ahead and added a deny statement and another permit any statement. I see that the last permit any statement does not show up. Based on your suggestions, I should remove 20 permit any (8245262 matches)
and add another permit any statement.
Kindly confirm. This is a production router.
Standard IP access list 5
10 deny 78.8.117.0, wildcard bits 0.0.0.255
20 permit any (8245262 matches)
30 deny 207.102.0.0, wildcard bits 0.0.255.255
40 deny 207.103.0.0, wildcard bits 0.0.255.255
50 deny 58.0.0.0, wildcard bits 0.255.255.255
08-26-2008 07:16 AM
yes,
access-list stabdard 5
no 20 permit any
09-11-2008 03:36 PM
Thank you. It worked.
08-26-2008 04:58 AM
Said
I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.
Jon
08-26-2008 05:05 AM
but based on this simple ACL
if u do
no access-list 5 permit any
then start to put ur deny lines then put
the access-list 5 permit any line again at the end!!
08-26-2008 07:32 AM
Marwan
Agreed you can do this but it also depends on your IOS version. A while back a numbered acl could not be edited in place ie. you had to remove the acl, edit it, and apply it again.
IOS behaviour now is to allow numbered access-lists to be edited.
See this thread which goes into more detail.
Jon
08-26-2008 07:51 AM
Jon,
So based on the below, a 'no 20 permit any' should be added and immediately followed by a '60 permit any' needs to be added?
10 deny 78.8.117.0, wildcard bits 0.0.0.255
20 permit any (8245262 matches)
30 deny 207.102.0.0, wildcard bits 0.0.255.255
40 deny 207.103.0.0, wildcard bits 0.0.255.255
50 deny 58.0.0.0, wildcard bits 0.255.255.255
08-26-2008 10:10 AM
Said
Yes that will do it. Put the 2 lines into a text-editor, make sure you are happy with them and then cut and paste onto the router.
Make sure that if you have telnetted to the router that you telnetted to an interface that this access-list is not applied to. If you are on the console no problem.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide