How to simplify your access-list changes on a Cisco IOS Router

How to simplify your access-list changes on a cisco IOS Router. There is a manner how to do this.
The following steps you need to know or have to change are.

1. To know which access-list you need / want to change
2. The name of the access-list written as in the show running-config
3. Where in the access-list you want to put the new line.

1: First logon to your Cisco IOS Router device. And go to the Configuration mode.

Jyrki-877-nlbeks69#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

2: Second show the access-lists you are running on your IOS router

Jyrki-877-nlbeks69(config)#do sh run | begin ip access-list

3: You will get an output like below.

ip access-list extended ACL_Dialer10_IN
 remark Deny internal networks
 deny   ip 192.168.21.0 0.0.0.255 any
 remark Anti-spoofing
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 remark dhcp van provider
 permit udp any any eq bootpc
 remark VPN
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any eq non500-isakmp any
 permit esp any any
 permit gre any any
 permit tcp any any eq 1723
 remark Standard WWW services
 permit udp any any eq domain
 permit udp any eq domain any
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq 22
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq www
 permit tcp any any eq ident
 permit tcp any any eq 443
 permit tcp any any eq 143
 permit tcp any any eq 993
 remark GMAIL
 permit tcp any any eq 995
 remark Belastingdienst
 permit tcp any any eq 587
 remark Remote Desktop
 permit tcp any any eq 3389
 remark RWW
 permit tcp any any eq 4125
 permit udp any any eq 4125
 remark LDAP
 permit tcp any any eq 389
 remark Rabobank Telebankieren Extra
 permit tcp any any eq 2901
 remark ABN-AMRO OfficeNet Extra
 permit tcp host 193.172.44.45 any
 permit tcp host 193.172.44.78 any
 permit tcp host 194.151.107.44 any
 permit tcp host 194.151.107.76 any
 remark Windows Media
 permit tcp any any eq 1755
 remark Windows Messenger
 permit tcp any any eq 1863
 permit udp any any range 1024 65535
 permit tcp any any range 6891 6900
 remark Azureus Vuze
 permit tcp any any eq 56740
 remark NTP
 permit udp any any eq ntp
 remark SNMP
 permit udp host 80.65.112.178 any eq snmp
 permit udp 80.65.125.16 0.0.0.15 any eq snmp
 remark ICMP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   icmp any any
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip any any

4: press ctrl+Q and your back on the configuration line. Copy / Past the name of the access-list

Jyrki-877-nlbeks69(config)#ip access-list extended ACL_Dialer10_IN

5: Your now entering the access-list configuration mode

Jyrki-877-nlbeks69(config-ext-nacl)#

6: show the access-list with the numbers in front.

Jyrki-877-nlbeks69(config-ext-nacl)#do sh ip access-list
Extended IP access list ACL_Dialer10_IN
    10 deny ip 192.168.21.0 0.0.0.255 any
    20 deny ip host 0.0.0.0 any
    30 deny ip host 255.255.255.255 any
    40 deny ip 10.0.0.0 0.255.255.255 any
    50 deny ip 127.0.0.0 0.255.255.255 any
    60 deny ip 169.254.0.0 0.0.255.255 any
    70 deny ip 172.16.0.0 0.15.255.255 any
    80 deny ip 192.168.0.0 0.0.255.255 any
    90 deny ip 224.0.0.0 15.255.255.255 any
    100 permit udp any any eq bootpc
    110 permit udp any any eq isakmp
    120 permit udp any any eq non500-isakmp
    130 permit udp any eq non500-isakmp any
    140 permit esp any any
    150 permit gre any any
    160 permit tcp any any eq 1723 (12 matches)
    170 permit udp any any eq domain
    180 permit udp any eq domain any (3 matches)
    190 permit tcp any any eq ftp (77 matches)
    200 permit tcp any any eq ftp-data (1 match)
    210 permit tcp any any eq 22 (359 matches)
    220 permit tcp any any eq smtp
    230 permit tcp any any eq pop3 (8 matches)
    240 permit tcp any any eq www (397 matches)
    250 permit tcp any any eq ident
    260 permit tcp any any eq 443 (205 matches)
    270 permit tcp any any eq 143
    280 permit tcp any any eq 993
    290 permit tcp any any eq 995
    300 permit tcp any any eq 587
    310 permit tcp any any eq 3389 (23 matches)
    320 permit tcp any any eq 4125
    330 permit udp any any eq 4125
    340 permit tcp any any eq 389
    350 permit tcp any any eq 2901
    360 permit tcp host 193.172.44.45 any
    370 permit tcp host 193.172.44.78 any
    380 permit tcp host 194.151.107.44 any
    390 permit tcp host 194.151.107.76 any
    400 permit tcp any any eq 1755
    410 permit tcp any any eq 1863
    420 permit udp any any range 1024 65535 (43302 matches)
    430 permit tcp any any range 6891 6900
    440 permit tcp any any eq 56740 (795300 matches)
    450 permit udp any any eq ntp
    460 permit udp any any eq snmp
    470 permit udp any any eq snmp
    480 permit icmp any any echo (242 matches)
    490 permit icmp any any echo-reply
    500 permit icmp any any packet-too-big
    510 permit icmp any any time-exceeded (17 matches)
    520 permit icmp any any unreachable (2491 matches)
    530 deny icmp any any (9 matches)
    540 deny tcp any range 0 65535 any range 0 65535 (1212 matches)
    550 deny udp any range 0 65535 any range 0 65535 (47 matches)
    560 deny ip any any

7: Copy an existing line from the access-list and modify this line. With a new number and protocol type.

Jyrki-877-nlbeks69(config-ext-nacl)#340 permit tcp any any eq 389
Jyrki-877-nlbeks69(config-ext-nacl)#341 permit tcp any any eq 873

8: Check if the changes are made by the sho ip access-list command.

Jyrki-877-nlbeks69(config-ext-nacl)#do sh ip access-list
Extended IP access list ACL_Dialer10_IN
    10 deny ip 192.168.21.0 0.0.0.255 any
    20 deny ip host 0.0.0.0 any
    30 deny ip host 255.255.255.255 any
    40 deny ip 10.0.0.0 0.255.255.255 any
    50 deny ip 127.0.0.0 0.255.255.255 any
    60 deny ip 169.254.0.0 0.0.255.255 any
    70 deny ip 172.16.0.0 0.15.255.255 any
    80 deny ip 192.168.0.0 0.0.255.255 any
    90 deny ip 224.0.0.0 15.255.255.255 any
    100 permit udp any any eq bootpc
    110 permit udp any any eq isakmp
    120 permit udp any any eq non500-isakmp
    130 permit udp any eq non500-isakmp any
    140 permit esp any any
    150 permit gre any any
    160 permit tcp any any eq 1723 (12 matches)
    170 permit udp any any eq domain
    180 permit udp any eq domain any (3 matches)
    190 permit tcp any any eq ftp (77 matches)
    200 permit tcp any any eq ftp-data (1 match)
    210 permit tcp any any eq 22 (359 matches)
    220 permit tcp any any eq smtp
    230 permit tcp any any eq pop3 (8 matches)
    240 permit tcp any any eq www (397 matches)
    250 permit tcp any any eq ident
    260 permit tcp any any eq 443 (205 matches)
    270 permit tcp any any eq 143
    280 permit tcp any any eq 993
    290 permit tcp any any eq 995
    300 permit tcp any any eq 587
    310 permit tcp any any eq 3389 (23 matches)
    320 permit tcp any any eq 4125
    330 permit udp any any eq 4125
    340 permit tcp any any eq 389
    341 permit tcp any any eq 873 <====
    350 permit tcp any any eq 2901
    360 permit tcp host 193.172.44.45 any
    370 permit tcp host 193.172.44.78 any
    380 permit tcp host 194.151.107.44 any
    390 permit tcp host 194.151.107.76 any
    400 permit tcp any any eq 1755
    410 permit tcp any any eq 1863
    420 permit udp any any range 1024 65535 (43302 matches)
    430 permit tcp any any range 6891 6900
    440 permit tcp any any eq 56740 (795300 matches)
    450 permit udp any any eq snmp
    470 permit udp any any eq snmp
    480 permit icmp any any echo (242 matches)
    490 permit icmp any any echo-reply
    500 permit icmp any any packet-too-big
    510 permit icmp any any time-exceeded (17 matches)
    520 permit icmp any any unreachable (2491 matches)
    530 deny icmp any any (9 matches)
    540 deny tcp any range 0 65535 any range 0 65535 (1212 matches)
    550 deny udp any range 0 65535 any range 0 65535 (47 matches)
    560 deny ip any any

9: If the changes are correct you could end the configuration mode and save your configuration.

Jyrki-877-nlbeks69(config-ext-nacl)#end
Jyrki-877-nlbeks69#wr
Building configuration…
[OK]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s