cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
0
Helpful
6
Replies

Access list help on Cisco 877

jamesgonzo
Level 1
Level 1

Hi, this is probably a very easy question for all.

What is the best way to amend an access list?

For example is I have this access list:

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.60.0 0.0.0.255

and I want to remove:

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.20.0 0.0.0.255

I type:

no access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.20.0 0.0.0.255

I then find the whole 101 access list is gone?

1 Accepted Solution

Accepted Solutions

It's always better to be as granular as possible with ACL to make it more secure. Let's say if you have a host that needs to access to something then it wouldn't be a good idea to allow the whole subnet to access that resource instead an ACL permitting just the host would be a good setup.

The matches indicate how many packets matched the entry (ACE) in the ACL. Unless the ACL is huge, like 100's of ACEs, I don't think it would be a problem for the router to handle in any environment, including IPSEC crypto ACLs.

HTH

Sundar

View solution in original post

6 Replies 6

If you just want to use the two statements in your ACL then you aren't going to gain much by tweaking the wild card mask in the ACL.

As far as removing entries (ACE) in the ACL you can do so if the access list has sequence #s associated with it. Do a 'show access-list' and if it shows sequence #s, like 10, 20, 30 etc.. If it does then enter the ACL mode and remove the sequence #s and this would remove the corresponding entries and not the entire ACL.

ip access-list extended 101 --> puts in you ACL mode

no seq (#) --> to remove an entry in the ACL. Use the seq # shown in the show access-list output.

HTH

Sundar

Is it best to jsut keep subnets or hosts, I'm just securign it further.

My access list shows this:

Extended IP access list 101

10 permit ip 172.19.15.0 0.0.0.255 host 192.168.20.11 (1478 matches)

20 permit ip 172.19.15.0 0.0.0.255 192.168.40.0 0.0.0.255 (3266 matches)

30 permit ip 172.19.15.0 0.0.0.255 192.168.60.0 0.0.0.255 (1266 matches)

What are these matches?

Do more ACE's create more IPSec tunnels and strain on the network?

It's always better to be as granular as possible with ACL to make it more secure. Let's say if you have a host that needs to access to something then it wouldn't be a good idea to allow the whole subnet to access that resource instead an ACL permitting just the host would be a good setup.

The matches indicate how many packets matched the entry (ACE) in the ACL. Unless the ACL is huge, like 100's of ACEs, I don't think it would be a problem for the router to handle in any environment, including IPSEC crypto ACLs.

HTH

Sundar

Thanks Sundar, just one last thing. I can't seem to access a network from the remote network to the ASA, what is the best debug tool to see if it's being denied on the router?

Couple of debug commands I have always found to be very useful with IPSEC troubleshooting are as follows. Another thing you could do is apply an ACL (for troubleshooting purpose only) on the interface in which traffic arrives in the router, before encryption process, to see if the host is sending traffic to the router. The problem you are describing is a very common occurrence if the crypto ACL on both sides doesn't match and hence, double check that part. Thanks for the rating :-)

debug crypto isakmp

debug crypto ipsec

Trouble I'm getting is that the remote network needs to go through the ASA over the VPN to get to the internet (outside of ASA is a Cisco router), and have no idea what to add to the SA's or access lists.

Any ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: