cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23954
Views
10
Helpful
10
Replies

How to insert a line in the existing acl?

vinothlb1
Level 1
Level 1

Extended IP access list 150

permit ip 10.0.0.0 0.255.255.255 10.207.0.0 0.0.255.255

permit ip 10.207.0.0 0.0.255.255 10.0.0.0 0.255.255.255

permit tcp any any range 1521 1526

permit tcp any range 1521 1526 any

permit ip host 10.205.157.250 any

permit ip host 10.205.133.250 any

permit ip host 10.205.113.250 any

permit ip host 10.205.141.250 any

permit ip host 10.205.164.250 any

permit ip host 10.205.114.250 any

permit ip host 10.205.142.250 any

permit ip host 10.205.147.250 any

permit ip host 10.205.144.250 any

permit ip host 10.205.135.251 any

permit ip host 10.205.127.250 any

permit ip host 10.205.135.250 any

permit ip host 10.205.140.250 any

permit ip host 10.205.112.250 any

permit ip host 10.205.158.250 any

permit ip host 10.205.135.252 any

permit ip host 10.205.116.250 any

permit ip host 10.205.150.250 any

permit ip any host 10.205.157.250

permit ip any host 10.205.133.250

permit ip any host 10.205.113.250

permit ip any host 10.205.141.250

permit ip any host 10.205.164.250

permit ip any host 10.205.114.250

permit ip any host 10.205.142.250

permit ip any host 10.205.147.250

permit ip any host 10.205.144.250

permit ip any host 10.205.135.251

permit ip any host 10.205.135.250

permit ip any host 10.205.140.250

permit ip any host 10.205.112.250

permit ip any host 10.205.158.250

permit ip any host 10.205.135.252

permit ip any host 10.205.127.250

permit ip any host 10.205.116.250

permit ip any host 10.205.150.250

permit ip host 10.205.100.250 any

permit ip host 10.205.99.250 any

permit ip host 10.205.102.250 any

permit ip any host 10.205.100.250

permit ip any host 10.205.99.250

permit ip any host 10.205.102.250

permit ip host 10.205.50.250 any

permit ip host 10.205.50.251 any

permit ip host 10.205.82.250 any

permit ip host 10.205.92.250 any

permit ip host 10.205.64.250 any

permit ip host 10.205.93.250 any

permit ip host 10.205.64.251 any

permit ip host 10.205.67.250 any

permit ip host 10.205.92.251 any

permit ip host 10.205.80.250 any

permit ip any host 10.205.50.250

permit ip any host 10.205.50.251

permit ip any host 10.205.82.250

permit ip any host 10.205.92.250

permit ip any host 10.205.64.250

permit ip any host 10.205.93.250

permit ip any host 10.205.64.251

permit ip any host 10.205.67.250

permit ip any host 10.205.92.251

permit ip any host 10.205.80.250

permit ip host 10.205.48.251 any

permit ip any host 10.205.48.251

permit ip host 10.205.46.90 any

permit ip any host 10.205.46.90

permit ip 10.205.48.0 0.0.0.255 any

permit ip any 10.205.48.0 0.0.0.255

permit ip 10.205.46.0 0.0.0.255 any

permit ip any 10.205.46.0 0.0.0.255

permit ip host 10.205.20.8 any

permit ip any host 10.205.20.8

permit ip host 10.205.51.66 host 10.205.46.117

permit ip host 10.205.46.117 host 10.205.51.66

permit ip host 10.205.51.66 host 10.205.46.140

permit ip host 10.205.46.140 host 10.205.51.66

permit ip any host 10.205.31.100

permit ip host 10.205.31.100 any

deny tcp any eq 139 any

deny tcp any eq 445 any

deny tcp any any eq 445

deny tcp any any eq 139

deny tcp any eq 135 any

deny tcp any eq 1024 any

deny tcp any any eq 1024

deny tcp any any eq 135

deny tcp any eq 1025 any

deny tcp any any eq 1025

permit ip any any

After

permit ip host 10.205.31.100 any

and before

deny tcp any eq 139 any

I want to insert

permit ip any host 10.205.102.12

permit ip host 10.205.102.12 any

How to insert this line? Can any provide the procedure.. It willbe helpful for me?

10 Replies 10

mmacdonald70
Level 1
Level 1

You didn't tell us which version of IOS you have but if I recall correctly, when you do a "sh access-list 150" you will get it with a bunch of line numbers. Then it is just a matter of:

ip access-list extended 150

x permit ip any host 10.205.102.12

y permit ip host 10.205.102.12 any

Where x and y are numbers between the line numbers of those two lines.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ip_entry_numbrng.html

My Cisco IOS version is 12.2(17a)..

I didn't get any line number as u given in the

sh access-list 150

s.marino
Level 1
Level 1

The first thing to do is a "show access-list" of this access-list. Since this looks like an extended access-list, you will see seq# of the left side of them.

Lets say the you have:

100 permit ip any host 10.205.31.100

110 permit ip host 10.205.31.100 any

conf t

ip access-list extended 150

101 permit ip any host 10.205.102.12

102 permit ip host 10.205.102.12 any

exit

ip access-list resequence "Access-list name" 10 10

press enter then exit

This should put them in order by seq of 10.

Sal

Rate it if this helps...

I didn't get any sequence number in the left side

vinoth,

It's not easy to live with the old IOS. (grin)

What I can recommend is that you have to copy the whole part of ACL to the notepad or something like that. Then modifing the ACL to be the new one. After that just remove the existing ACL and replace the new one real quick.

HTH,

Toshi

vinoth,

I agree with HTH.

The first line in notepad should have the - no ip access-list 150 -

Then the rest of the access list with the modifications included.

Copy the whole list and in config mode

paste the it in. Now I would have a reload statement applied prior to this with a 5-10 minute time frame just in case if the equipment isn't local to you. If all goes well then cancel the reload.

Vinoth:

1.) Make sure you have permission to remove any ACLs during production times.

2.) If you do, remove the access list from the interface first. Im assuming its a security list that is being applied to a particular interface.

interface serial 0/0

no ip access-group 150 [in|out]

3.) Copy the entire ACL onto a Notepad document. Insert changes/adds. Then paste the revised ACL to the routers config.

4.) re-apply the access-list to the interface.

5.) Save config and back it up to the tftp server if you use one.

HTH

Victor

Victor,

That's what I'm thinking of.

5P!

Toshi

Toshi. Thanks! LoL :-)

Vinoth:

Just to be super duper clear, after you remove the access list from the interface in step 2, you can then go into global config mode and delete the ACL itself, step 2a:

router (config)#no ip access-list 150

Review Cisco Networking for a $25 gift card