Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
7
Replies

Access List Questions

joneschw1
Level 1
Level 1

‎11-01-2004 10:27 AM - edited ‎02-20-2020 09:25 PM

Hi all, I have a PIX 501 and some access lists. Basically I found an incorrect line. I have 8 or 9 various access-lists.

I tried to remove the incorrect line, and the only way that I could do it was to remove the access-group from the interface and then remove the incorrect line. It seems that you can add to an access group pretty easily, but removing a line is difficult. Am I doing something wrong?

Also, what is the proper syntax to only allow smtp traffic from ip address 77.94.101.4 to my internal IP? Thanks for the help.

Labels:
0 Helpful
7 Replies 7

mpalardy
Level 3
Level 3

‎11-01-2004 11:03 AM

First you have to use the configuration mode of your pix, w/ "conf t" command. Then use the "no" keyword to remove an access-list and it must be typed entirelly. eg.:

PIX(config)# no access-list outside_intf permit tcp host 10.1.1.1 host 10.2.2.2 eq 25

To permit access from outside to your internal mail-server you must first publish your mail server on a internet routable ip:

static (inside, outside) IP-out IP-server netmask 255.255.255.255 0 0

Grant access for 77.xx.xxx.x to your mail server:

access-list outside_intf permit tcp host 77.xx.xxx.x host IP-out eq smtp

Bind the ACL to the outside intf:

access-group outside_intf in interface outside

Note that only one set of access-list can be bind for each interface.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#wp1025611

HTH

Mike

0 Helpful

joneschw1
Level 1
Level 1
In response to mpalardy

‎11-01-2004 12:48 PM

Mike,

I tried the no -- entire access list line--- and it did not work. The only way I could get it to work was to remove the access group and then remove the individual line (listing the line number).

0 Helpful

mpalardy
Level 3
Level 3
In response to joneschw1

‎11-01-2004 01:06 PM

Does the pix gives an error when you attempt to remove the ACL ? What's the version of the soft you have on this pix ? (please post the output from the "show version" command)

0 Helpful

jogillis
Level 1
Level 1

‎11-02-2004 08:34 AM

You should not have to remove the access-group to delete a line from the access-list. From configuration mode (config t), you should be able to type "no" then the access-list line, with no line number necessary. This should remove that line.

0 Helpful

switchfire
Level 1
Level 1
In response to jogillis

‎12-02-2004 08:02 AM

I have exactly the same problem on our 1760 router (v 12.3(2)XE).

I enter configuration mode with conf t, then select the access list I want to modify:

ip access-list extended

Here I type in the command to delete an existing permission:

no permit .... etc

where the permit line is repeated exactly as shown by the show running command. The router accepts the deletion without comment. I type exit, then Ctrl-Z to leave configuration mode. In essence I've just repeated exactly the same procdure as used to create the permit line, but this time put a 'no' at the beginning.

Show running reveals that nothing has changed, the permission line is still present. No errors are displayed at any time. I just don't work!

Since we have a large number of lines within this access-list, deleting it completely isn't a realistic option.

CG

0 Helpful

bhatok
Level 1
Level 1
In response to switchfire

‎12-02-2004 08:42 AM

You should be able to remove a single line from your access-list with the no command. For example if your access-list command is:

access-list 101 permit tcp any host 10.10.10.10 eq smpt

To remove it, enter configuration mode with the configure terminal command, then use:

no access-list 101 permit tcp any host 10.10.10.10 eq smtp

The commands should be identical except for the no.

0 Helpful

switchfire
Level 1
Level 1
In response to bhatok

‎12-02-2004 09:38 AM

Perhaps I didnt' state my problem clearly enough. I'm not referring to a numbered access list (which for all I know suffers from the same problem), but to the access-list for a firewall rule. I thought the original post on this thread meant the same, perhaps I'm wrong.

The rule I'm referring to is created as follows:

router# conf t

router(config)# ip access-list extended Internet_LAN_IN

router(config-ext-nacl)# permit tcp host 135.100.44.6 host 196.140.232.12 eq ftp

router(config-ext-nacl)# exit

router(config)#

router#

Trying to delete the line by recapitulating the above, but putting a 'no' at the beginning of the line which starts 'permit...' is accepted without any error message, but silently ignored.

I know that typing 'no' at the beginning is supposed to delete the line, but it doesn't. The show running command still shows the line is present. Do I have to reboot the router? or is there some other critical step I should take?

CG

0 Helpful
Customers Also Viewed These Support Documents