editing an ACL

MrWhitefolks
MrWhitefolks used Ask the Experts™
on
I have a lengthy ACL on my border router. I was wondering about adding:

permit tcp any any established

to the inbound ACL

First, is this recommended? and if so how can I place the statement before all of my deny statements without totally re-creating the ACL?

Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr. Systems Engineer
Top Expert 2008
Commented:
Yes, good idea, but you have to totally re-create the acl.

I use a script something like this that I can cut/paste into the config:

interface Ether 0/0
 no ip access-group outside_in in
!
interface Ether 0/1
 no ip access-group outside_in in
!
no ip access-list extended outside_in
!
ip access-list extended outside_in
 permit ip any any established
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq 3052
 deny   tcp any any eq 1433
 deny   tcp any host <my interface ip> eq www
 deny   tcp any host <my interface ip> eq 139
 deny ip 210.0.0.0 0.255.255.255 any
 deny ip 211.0.0.0 0.255.255.255 any
 deny ip 61.0.0.0 0.255.255.255 any
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
  permit udp any eq domain any
 permit udp host 140.142.16.34 eq ntp host <my interface ip> eq ntp
 permit ip host <my home ip> host <my interface ip>
 deny   ip any any log
!
interface Ether 0/1
 ip access-group outside_in in

Commented:
as an option, you can avoid removing and re-applying the access list to the interface if you use a tftp server and conf net the access-list. This is a nice way to do it because you can then put your inbound filters under rcs or cvs for revision control.

So, the stored acl would look like:

no ip access-list extended outside_in
!
ip access-list extended outside_in
permit ip any any established
deny   udp any any eq netbios-ns
[...snip...]
deny ip any any log
end

it also avoids all the cutting and pasting, which in the case of long acl's is a pain and can be prone to errors.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial