Solved

how can we assion multipal access-group in single interface

Posted on 2004-08-15
8
221 Views
Last Modified: 2010-04-17
hello all
 I have cisco 2600 series router , I have to do make lot of access-list in this router for interface ethernet 0/0  
but in any interface i can put only one access-group in or out
for examples  if i have to put access-group 111 and access-group 112 in same  interface i cant do that


is there any process so that i can put multiple access-group in single interface

Secound  
i just make only one access-group  111 in int ethernet 0/0 and
make that of access-list
i
nterface Ethernet0
 
 ip address 192.168.64.1 255.255.255.0
 ip access-group 111 in
 ip nat inside
 ip route-cache flow
 half-duplex
!
ccess-list 111 permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit udp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit udp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit ip 192.168.65.32 0.0.0.7 any
access-list 111 permit ip 192.168.64.0 0.0.0.255 any
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit udp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq 80
access-list 111 permit udp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.155 eq 443
access-list 111 permit ip host 192.168.65.67 any
access-list 111 permit ip host 192.168.65.68 any
access-list 111 permit ip host 192.168.65.69 any
access-list 111 permit ip host 192.168.65.70 any
access-list 111 permit ip host 192.168.65.71 any


i have that much of access-list ... my problem is that if i have to remove any one network access-list hole access list will remove
if i make seperate access-list like access-list 111 , access-list-222  but all this access-list i cant put in single interface ethernet 0/0
can u pls help me out to sole this problem


sachham
0
Comment
Question by:sachham
8 Comments
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11807561
First rule of access-list
ALWAYS HAVE A COPY. Do a cut and paste of the access list into notepad. Save this as the original.
Now save the file as NEW Access-list. make your modification and save this, but leave it open in notepad. Do a copy of the new access list.
On the router delete the access list and then paste the new access list into the router and test it. if it works good if not you cut the new one and paster the original back until you figure out the problem.

The second answer to your questionis a little more difficult and involes the use of Context based access list.
So first you need to get a good grasp of the basics of access-list the you can start doing CBAC.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 125 total points
ID: 11809040
You can only have one access-list inbound and one outbound per interface.  There is no way to change this.  If working with a large access-list use notepad like MarkDozier suggests to ease modification to the list.  You could also use named access lists which allow you to remove one line without removing the entire list.  The downside is that new statements append only to the bottom so you may end up using the notepad method anyway.  To use named access-lists, use the following command:

ip access-list extended <name>  (use whatever name you want, it is case sensitive)
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
...

To remove the second line without removing the entire list, you can do the following:

ip access-list extended <name>
no permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet

Only the one command will be removed, all others will remain.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11809306
You guys know we have sequence numbers on ACL's now, right?

I don't know about y'all, but I've been waiting YEARS for this.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsaclseq.htm

-Don
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 11

Expert Comment

by:PennGwyn
ID: 11816235
We have sequence numbers ON RECENT VERSIONS of IOS.  All we know about this router is that it's a 2600 -- there's an awful lot of gear out there on 11.2 still....

0
 

Author Comment

by:sachham
ID: 11837807
hello ALL

thanks for your reply , but my problem still same if i do name base access-list like this

ip access-list extended <name> aaa
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet

ip access-list extended <name>  bbb
permit tcp 192.168.64.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.64.0 0.0.0.7 host 203.78.173.25 eq telnet

in this seniro i can only put access-group aaa in /out   or access-group bbb in/out in interface ethernet 0/0
i cant put both aaa and bbb access-list in single interface
i want to put more then one access-group in single interface ,,,, is there any other command so that i can put more then one access-group put in singe interface

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11840218
Why not just combine the two lists?

ip access-list extended aaa
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
permit tcp 192.168.64.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.64.0 0.0.0.7 host 203.78.173.25 eq telnet

You can not add more than one access-list in the same direction on an interface.

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 15651435
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

RECOMMENDATION: Award points to JFrederick29

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

donjohnston
EE Cleanup Volunteer
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now