GroupStudy.com GroupStudy.com - A virtual community of network engineers
Home BookStore StudyNotes Links Archives StudyRooms HelpWanted Discounts Login
Re: Access List question posted 11/04/1999
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next] 
This would delete the access-lists, in effect making the "access-group"
statements refer to an implicit "permit any any".

But be forewarned...the ACRC text explicitly states that deleting an acl
while it is still applied to an interface can result in the router
rebooting.  This sounds like a bug that should have a fix by now, but I'm
not sure.

And actually, this method is going to create more work in the long run than
if the acl's were just unapplied from the interface.  Deleting the access
lists is nice and quick, but once he realized that the problem wasn't with
the acl's, he would have had to recreate them all over again, resulting in
a total of 25 lines of code.  If you were to just unapply the acl's, then
reapply them after testing, you would only need a total of 8 lines.

interface ethernet 0
no ip access-group 101 in
interface serial 0.1
no ip access-group 102 in

<then to go back>
interface ethernet 0
ip access-group 101 in
interface serial 0.1
ip access-group 102 in


Jamie Byrne


PS...what's the scoop with "ip inspect"?  I've never seen it and my 11.3
command reference doesn't have it.




At 09:21 AM 11/3/99 -0800, Steve Miller wrote:
>Eric,
>
>All you will need to do is from the global configuration prompt of the
>router
>type in: no access-list 101 (hit enter) and then: no access-list 102 (hit
>enter)
>After using the IOS and no for a little while you'll pick up that you can
>often remove grouped commands in one blow... take care :)
>
>steve
>
>Eric Ceradsky <eceradski@xxxxxxxxxxx> wrote in message
>news:7vp9f4$2vl$1@xxxxxxxxxxxxxxxxx
>> Hiya guys,
>>
>> Gotta question here.
>>
>> I installed and configured a 2501 with IP firewall feature pack for a
>Frame
>> Relay connection.
>>
>> I used Configmaker to setup the firewall. The firewall of course operates
>by
>> implementing access-lists.
>>
>> I want to disable all the access lists that I put on the router. IS there
>> any way to do this with one command, or do I need to go line per line and
>> manual disable each single one?
>>
>> Here is an example of what my running config looks like: (IP address have
>> been changed to protect the innocent :)
>>
>> The source of the problem (why I want to disable the lists) is for some
>> reason smtp traffic is getting out, but not getting in even though we
>> specifically have smtp traffice permitted.
>>
>> interface Ethernet0
>>  description connected to EthernetLAN
>>  ip address xxx.xxx.xxx.xxx 255.255.255.224
>>  ip access-group 101 in
>>  ip inspect Ethernet_0 in
>> !
>> interface Serial0
>>  no ip address
>>  encapsulation frame-relay IETF
>>  no ip mroute-cache
>>  frame-relay lmi-type ansi
>> !
>> interface Serial0.1 point-to-point
>>  description connected to Internet
>>  ip address xxx.xxx.xxx.xxx 255.255.255.252
>>  ip access-group 102 in
>>  ip inspect Serial_0 in
>>  bandwidth 1536
>>  frame-relay interface-dlci xx IETF
>> !
>> interface Serial1
>>  no ip address
>>  shutdown
>> !
>> router rip
>>  version 2
>>  passive-interface Serial0.1
>>  network 208.189.22.0
>>  no auto-summary
>> !
>> ip classless
>> ip route 0.0.0.0 0.0.0.0 Serial0.1
>> ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
>> access-list 101 deny   udp any any eq 8080
>> access-list 101 deny   udp any any eq 1028
>> access-list 101 deny   udp any any eq 1029
>> access-list 101 permit tcp any any eq www
>> access-list 101 deny   udp any any eq 139
>> access-list 101 permit ip any any
>> access-list 101 permit tcp any any eq smtp
>> access-list 102 deny   ip xxx.xxx.xxx.xxx 0.0.0.31 any
>> access-list 102 deny   icmp any xxx.xxx.xxx.xxx 0.0.0.31
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx  0.0.0.31 eq 8080
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq bootpc
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx  0.0.0.31 eq bootps
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq 19
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq echo
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq 139
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq 213
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq 524
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq 1028
>> access-list 102 deny   udp any xxx.xxx.xxx.xxx 0.0.0.31 eq 1029
>> access-list 102 permit tcp any xxx.xxx.xxx.xxx 0.0.0.31 eq www
>> access-list 102 permit ip any xxx.xxx.xxx.xxx 0.0.0.31
>> access-list 102 permit tcp any xxx.xxx.xxx.xxx 0.0.0.31 eq smtp
>> access-list 102 permit tcp host xxx.xxx.xxx.xxx any eq smtp
>> snmp-server community public RO
>> !
>>
>>
>>
>> ___________________________________
>> FAQ, list archives, and subscription info: http://www.groupstudy.com
>> Posting Guidelines: http://www.groupstudy.com/list/guide.html
>>
>
>
>
>
>___________________________________
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Posting Guidelines: http://www.groupstudy.com/list/guide.html
>
>
___________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com
Posting Guidelines: http://www.groupstudy.com/list/guide.html