Posted on by admin

Editing Cisco ACLs Inline

Are you annoyed at having to copy an ACL to a text editor to add a line?   After that, you have to either remove the ACL entirely or add the new version with a different name and update all the interfaces to use the new name.  I have been using the following trick recently to edit ACLs inline without having the complete remove or rewrite the ACL.

Suppose you have the following ACL which was being used in conjunction to IOS firewall (I will not detail IOS Firewall at this time).

You find out that you now need to add a public webserver located at 192.0.2.80.  You also need to block an abusive network in another country(198.51.100.0/24) from hitting your site at all.  You can use the following trick to edit the ACL inline.

First do a show ip access-lists to see the auto-assigned line numbers.


Router#show access-lists wan-in
Extended IP access list wan-in
    10 permit icmp any any echo
    20 permit icmp any any echo-reply
    30 permit icmp any any unreachable
    40 permit icmp any any time-exceeded
    50 permit tcp any any eq 443
    60 permit tcp any any eq 22
    70 deny ip any any

Next we will add the two rules in the places we want to add them.  In this case the block rule needs to be first, and the www rule needs to come before the last deny line.


Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip access-list extended wan-in
Router(config-ext-nacl)#5 deny ip 198.51.100.0 0.0.0.255 any
Router(config-ext-nacl)#65 permit tcp any any eq www

Then last we verify our changes checking both the running config and the show command.


Router#show ip access-lists wan-in
Extended IP access list wan-in
    5 deny ip 198.51.100.0 0.0.0.255 any
    10 permit icmp any any echo
    20 permit icmp any any echo-reply
    30 permit icmp any any unreachable
    40 permit icmp any any time-exceeded
    50 permit tcp any any eq 443
    60 permit tcp any any eq 22
    65 permit tcp any any eq www
    70 deny ip any any
Router#show running-config
...
!
ip access-list extended wan-in
 deny   ip 198.51.100.0 0.0.0.255 any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp any any eq 443
 permit tcp any any eq 22
 permit tcp any any eq www
 deny   ip any any
!
...

Leave a Reply

Your email address will not be published.