12-19-2012 11:19 PM - edited 03-07-2019 10:42 AM
Hi All,
I want to edit a named ACL, we add remarks to keep it simple like below :-
remark Allow SSH and WEB traffic from Users
permit tcp 192.168.1.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 22
permit tcp 192.168.1.0 0.0.0.255 10.20.0.0 0.0.0.255 eq www
Now i want to add one more
before the last Deny line
110 deny ip any any log
New lines i want to add
105 Remark Allow Admin PC
106 Permit IP host 10.30.1.50 10.20.0.0 0.0.0.255
But it does not accept the Remark , is there any way to add this or i need to remove the complete ACL and re-enter the ACL with new lines like traditional way.
Thanks
Jagdev
Solved! Go to Solution.
12-20-2012 03:19 AM
You'll need to delete the acl and start from scratch. Remarks can't be specified (at least in the IOS version that I have) by line number:
R1(config-ext-nacl)#?
Ext Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
R1(config-ext-nacl)#remark ?
LINE Comment up to 100 characters
R1(config-ext-nacl)#15 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
permit Specify packets to forward
So, you will need to do the remark in the order that you want before doing the entry in the acl like:
ip access-list ext Named
remark Below is for www server
permit tcp any any eq www
remark Below is for ftp server
permit tcp any host 10.10.10.1 eq 21
Here's the other thing that I noticed. You can't see the remarks if you do a "show access-list". You have to look at it in the running config, so it won't look like it worked until you look at the running config:
R1#sh access-lists Named
Extended IP access list Named
10 permit tcp any any eq www
20 permit tcp any host 10.10.10.1 eq ftp
R1#
R1#sh run | s access-list
ip access-list extended Named
remark Below is for www server
permit tcp any any eq www
remark Below is for ftp server
permit tcp any host 10.10.10.1 eq ftp
R1#
HTH,
John
*** Please rate all useful posts ***
12-20-2012 02:28 AM
Hey Jagdev,
the remark is not correct you need to remark 106 not 105. That will create the entry above the deny with sequence number 110.
regards,
Sebastian
12-20-2012 03:19 AM
You'll need to delete the acl and start from scratch. Remarks can't be specified (at least in the IOS version that I have) by line number:
R1(config-ext-nacl)#?
Ext Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
R1(config-ext-nacl)#remark ?
LINE Comment up to 100 characters
R1(config-ext-nacl)#15 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit Exit from access-list configuration mode
permit Specify packets to forward
So, you will need to do the remark in the order that you want before doing the entry in the acl like:
ip access-list ext Named
remark Below is for www server
permit tcp any any eq www
remark Below is for ftp server
permit tcp any host 10.10.10.1 eq 21
Here's the other thing that I noticed. You can't see the remarks if you do a "show access-list". You have to look at it in the running config, so it won't look like it worked until you look at the running config:
R1#sh access-lists Named
Extended IP access list Named
10 permit tcp any any eq www
20 permit tcp any host 10.10.10.1 eq ftp
R1#
R1#sh run | s access-list
ip access-list extended Named
remark Below is for www server
permit tcp any any eq www
remark Below is for ftp server
permit tcp any host 10.10.10.1 eq ftp
R1#
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide