Solved: Named ACL edit

jagdev.dhaliwal · ‎12-19-2012

Hi All,

I want to edit a named ACL, we add remarks to keep it simple like below :-

remark Allow SSH and WEB traffic from Users

permit tcp 192.168.1.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 22

permit tcp 192.168.1.0 0.0.0.255 10.20.0.0 0.0.0.255 eq www

Now i want to add one more

before the last Deny line

110 deny ip any any log

New lines i want to add

105 Remark Allow Admin PC

106 Permit IP host 10.30.1.50 10.20.0.0 0.0.0.255

But it does not accept the Remark , is there any way to add this or i need to remove the complete ACL and re-enter the ACL with new lines like traditional way.

Thanks

Jagdev

John Blakley · ‎12-20-2012

You'll need to delete the acl and start from scratch. Remarks can't be specified (at least in the IOS version that I have) by line number:

R1(config-ext-nacl)#?

Ext Access List configuration commands:

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs

evaluate Evaluate an access list

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

R1(config-ext-nacl)#remark ?

LINE Comment up to 100 characters

R1(config-ext-nacl)#15 ?

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs

evaluate Evaluate an access list

exit Exit from access-list configuration mode

permit Specify packets to forward

So, you will need to do the remark in the order that you want before doing the entry in the acl like:

ip access-list ext Named

remark Below is for www server

permit tcp any any eq www

remark Below is for ftp server

permit tcp any host 10.10.10.1 eq 21

Here's the other thing that I noticed. You can't see the remarks if you do a "show access-list". You have to look at it in the running config, so it won't look like it worked until you look at the running config:

R1#sh access-lists Named

Extended IP access list Named

10 permit tcp any any eq www

20 permit tcp any host 10.10.10.1 eq ftp

R1#

R1#sh run | s access-list

ip access-list extended Named

remark Below is for www server

permit tcp any any eq www

remark Below is for ftp server

permit tcp any host 10.10.10.1 eq ftp

R1#

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Sebastian Helmer · ‎12-20-2012

Hey Jagdev,

the remark is not correct you need to remark 106 not 105. That will create the entry above the deny with sequence number 110.

regards,

Sebastian

John Blakley · ‎12-20-2012

You'll need to delete the acl and start from scratch. Remarks can't be specified (at least in the IOS version that I have) by line number:

R1(config-ext-nacl)#?

Ext Access List configuration commands:

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs

evaluate Evaluate an access list

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

R1(config-ext-nacl)#remark ?

LINE Comment up to 100 characters

R1(config-ext-nacl)#15 ?

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs

evaluate Evaluate an access list

exit Exit from access-list configuration mode

permit Specify packets to forward

So, you will need to do the remark in the order that you want before doing the entry in the acl like:

ip access-list ext Named

remark Below is for www server

permit tcp any any eq www

remark Below is for ftp server

permit tcp any host 10.10.10.1 eq 21

Here's the other thing that I noticed. You can't see the remarks if you do a "show access-list". You have to look at it in the running config, so it won't look like it worked until you look at the running config:

R1#sh access-lists Named

Extended IP access list Named

10 permit tcp any any eq www

20 permit tcp any host 10.10.10.1 eq ftp

R1#

R1#sh run | s access-list

ip access-list extended Named

remark Below is for www server

permit tcp any any eq www

remark Below is for ftp server

permit tcp any host 10.10.10.1 eq ftp

R1#

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***