Access List for Cisco Router 2600
Hi there
We have CISCO 2600 router. Is it necessary to delete the existing ACL to make the new added changes work. Do I need to copy the whole ACL i.e starting from the 'Current Configuration' till the 'end' or I can just copy each command 'access-list permit.........' individually. Can you please tell me the easier way.
1- I tested copying it in the command prompt from a note pad, it keeps on adding the C pompt at the beginning of each command.
2-If I delete the Access list completeley, it means I cannot go back?
Help please
We have CISCO 2600 router. Is it necessary to delete the existing ACL to make the new added changes work. Do I need to copy the whole ACL i.e starting from the 'Current Configuration' till the 'end' or I can just copy each command 'access-list permit.........' individually. Can you please tell me the easier way.
1- I tested copying it in the command prompt from a note pad, it keeps on adding the C pompt at the beginning of each command.
2-If I delete the Access list completeley, it means I cannot go back?
Help please
ASKER
I am trying to map three external Ip addresses to a single internal Ip address i.e
redirect 66.207.100.153 to 10.10.10.101:81, 66.207.100.154 to 10.10.10.101:82 and 66.207.100.155 to 10.10.10.101:83
I am not sure where to write the commands for these? and the easier way to write/amend onto access list. Do you want me to paste the running config here?
redirect 66.207.100.153 to 10.10.10.101:81, 66.207.100.154 to 10.10.10.101:82 and 66.207.100.155 to 10.10.10.101:83
I am not sure where to write the commands for these? and the easier way to write/amend onto access list. Do you want me to paste the running config here?
Those aren't things an access-list does.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks MarkDozier
I would also want to fit in this line to:
'access-list 101 permit tcp any host 216.185.84.189 eq 5336'
Here is my config:
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip host accpac.ggw.net 199.243.98.20
ip host switch 10.10.10.253
ip name-server 207.176.128.2
ip name-server 216.185.84.94
ip name-server 206.186.75.138
ip name-server 209.5.210.134
!
ip inspect audit-trail
ip inspect name inter tcp
ip inspect name inter udp
ip inspect name inter ftp
ip inspect name inter http
ip inspect name inter smtp
ip inspect name inter tftp
ip inspect name inter cuseeme
ip inspect name inter h323
ip inspect name inter rcmd
ip inspect name inter realaudio
ip inspect name inter sqlnet
ip inspect name inter streamworks
ip inspect name inter vdolive
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
speed 100
full-duplex
fair-queue 64 256 0
!
interface FastEthernet0/0.10
description CAMPUS VLAN
encapsulation dot1Q 10
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
!
interface FastEthernet0/0.801
description CONNECTION TO other campus
encapsulation dot1Q 801
ip address 10.10.11.254 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
!
interface FastEthernet0/0.908
description INTERNET VIA provider
bandwidth 1000000
encapsulation dot1Q 908
ip address 216.185.84.62 255.255.255.252
ip access-group 101 in
no ip redirects
no ip directed-broadcast
ip nat outside
ip inspect inter out
!
ip nat translation timeout 1600
ip nat pool inter 216.185.84.185 216.185.84.185 netmask 255.255.255.248
ip nat inside source list 1 pool inter overload
ip nat inside source static 10.10.10.18 216.185.84.187
ip nat inside source static 10.10.10.20 216.185.84.186
ip nat inside source static 10.10.10.99 216.185.84.190
ip nat inside source static 10.10.10.101 216.185.84.189
ip nat inside source static 10.10.10.3 216.185.84.188
ip nat inside source static tcp 10.10.10.20 8080 216.185.84.186 80 extendable
ip nat inside source static tcp 10.10.10.20 5336 216.185.84.186 5336 extendable
ip nat inside source static udp 10.10.10.20 500 216.185.84.186 500 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.185.84.61
no ip http server
!
!
map-list nat
!
map-list ip
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 98 permit 24.244.193.6
access-list 98 permit 216.94.53.126
access-list 101 permit tcp host 199.243.98.20 any eq 135
access-list 101 remark Inbound Internet Access List
access-list 101 permit tcp host 216.94.53.126 host 216.185.84.62 eq telnet
access-list 101 permit tcp host 24.244.193.6 host 216.185.84.62 eq telnet
access-list 101 permit esp any host 216.185.84.186
access-list 101 permit esp any host 216.185.84.187
access-list 101 permit ahp any host 216.185.84.186
access-list 101 permit ahp any host 216.185.84.187
access-list 101 permit tcp any host 216.185.84.186 eq www
access-list 101 permit tcp any host 216.185.84.186 eq 8080
access-list 101 permit tcp any host 216.185.84.186 eq 5336
access-list 101 permit udp any host 216.185.84.186 eq isakmp
access-list 101 permit udp any host 216.185.84.187 eq isakmp
access-list 101 permit tcp any host 216.185.84.187 eq smtp
access-list 101 permit tcp any host 216.185.84.187 eq www
access-list 101 permit tcp any host 216.185.84.187 eq 443
access-list 101 permit tcp any host 216.185.84.187 eq 8098
access-list 101 permit tcp any host 216.185.84.187 eq 8099
access-list 101 permit tcp any host 216.185.84.187 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 1723
access-list 101 permit gre any host 216.185.84.189
access-list 101 permit tcp any host 216.185.84.189 eq www
access-list 101 permit tcp any host 216.185.84.189 eq smtp
access-list 101 permit tcp any host 216.185.84.189 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 8080
access-list 101 permit tcp any host 216.185.84.189 eq 8383
access-list 101 permit tcp any host 216.185.84.189 eq 8181
access-list 101 permit tcp any host 216.185.84.189 eq 19815
access-list 101 permit tcp any host 216.185.84.189 eq 81
access-list 101 permit tcp any host 216.185.84.189 eq 82
access-list 101 permit tcp any host 216.185.84.189 eq 8093
access-list 101 permit tcp any host 216.185.84.188 eq ftp
access-list 101 permit tcp any host 216.185.84.190 eq www
access-list 101 permit ip any host 216.185.84.190
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 199.212.17.35 host 216.185.84.62 eq ntp
access-list 101 permit udp host 199.212.17.34 host 216.185.84.62 eq ntp
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any packet-too-big
access-list 101 deny ip any any log
banner motd ^CC
*** UNAUTHORIZED ACCESS IS PROHIBITED! ALL ACTIVITY IS LOGGED! ***
^C
!
line con 0
exec-timeout 9 0
password
logging synchronous
login
transport input none
line aux 0
line vty 0 3
exec-timeout 9 0
password
logging synchronous
login
line vty 4
exec-timeout 9 0
password
logging synchronous
login
transport input pad v120 telnet rlogin udptn
!
I would also want to fit in this line to:
'access-list 101 permit tcp any host 216.185.84.189 eq 5336'
Here is my config:
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip host accpac.ggw.net 199.243.98.20
ip host switch 10.10.10.253
ip name-server 207.176.128.2
ip name-server 216.185.84.94
ip name-server 206.186.75.138
ip name-server 209.5.210.134
!
ip inspect audit-trail
ip inspect name inter tcp
ip inspect name inter udp
ip inspect name inter ftp
ip inspect name inter http
ip inspect name inter smtp
ip inspect name inter tftp
ip inspect name inter cuseeme
ip inspect name inter h323
ip inspect name inter rcmd
ip inspect name inter realaudio
ip inspect name inter sqlnet
ip inspect name inter streamworks
ip inspect name inter vdolive
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
speed 100
full-duplex
fair-queue 64 256 0
!
interface FastEthernet0/0.10
description CAMPUS VLAN
encapsulation dot1Q 10
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
!
interface FastEthernet0/0.801
description CONNECTION TO other campus
encapsulation dot1Q 801
ip address 10.10.11.254 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
!
interface FastEthernet0/0.908
description INTERNET VIA provider
bandwidth 1000000
encapsulation dot1Q 908
ip address 216.185.84.62 255.255.255.252
ip access-group 101 in
no ip redirects
no ip directed-broadcast
ip nat outside
ip inspect inter out
!
ip nat translation timeout 1600
ip nat pool inter 216.185.84.185 216.185.84.185 netmask 255.255.255.248
ip nat inside source list 1 pool inter overload
ip nat inside source static 10.10.10.18 216.185.84.187
ip nat inside source static 10.10.10.20 216.185.84.186
ip nat inside source static 10.10.10.99 216.185.84.190
ip nat inside source static 10.10.10.101 216.185.84.189
ip nat inside source static 10.10.10.3 216.185.84.188
ip nat inside source static tcp 10.10.10.20 8080 216.185.84.186 80 extendable
ip nat inside source static tcp 10.10.10.20 5336 216.185.84.186 5336 extendable
ip nat inside source static udp 10.10.10.20 500 216.185.84.186 500 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.185.84.61
no ip http server
!
!
map-list nat
!
map-list ip
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 98 permit 24.244.193.6
access-list 98 permit 216.94.53.126
access-list 101 permit tcp host 199.243.98.20 any eq 135
access-list 101 remark Inbound Internet Access List
access-list 101 permit tcp host 216.94.53.126 host 216.185.84.62 eq telnet
access-list 101 permit tcp host 24.244.193.6 host 216.185.84.62 eq telnet
access-list 101 permit esp any host 216.185.84.186
access-list 101 permit esp any host 216.185.84.187
access-list 101 permit ahp any host 216.185.84.186
access-list 101 permit ahp any host 216.185.84.187
access-list 101 permit tcp any host 216.185.84.186 eq www
access-list 101 permit tcp any host 216.185.84.186 eq 8080
access-list 101 permit tcp any host 216.185.84.186 eq 5336
access-list 101 permit udp any host 216.185.84.186 eq isakmp
access-list 101 permit udp any host 216.185.84.187 eq isakmp
access-list 101 permit tcp any host 216.185.84.187 eq smtp
access-list 101 permit tcp any host 216.185.84.187 eq www
access-list 101 permit tcp any host 216.185.84.187 eq 443
access-list 101 permit tcp any host 216.185.84.187 eq 8098
access-list 101 permit tcp any host 216.185.84.187 eq 8099
access-list 101 permit tcp any host 216.185.84.187 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 1723
access-list 101 permit gre any host 216.185.84.189
access-list 101 permit tcp any host 216.185.84.189 eq www
access-list 101 permit tcp any host 216.185.84.189 eq smtp
access-list 101 permit tcp any host 216.185.84.189 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 8080
access-list 101 permit tcp any host 216.185.84.189 eq 8383
access-list 101 permit tcp any host 216.185.84.189 eq 8181
access-list 101 permit tcp any host 216.185.84.189 eq 19815
access-list 101 permit tcp any host 216.185.84.189 eq 81
access-list 101 permit tcp any host 216.185.84.189 eq 82
access-list 101 permit tcp any host 216.185.84.189 eq 8093
access-list 101 permit tcp any host 216.185.84.188 eq ftp
access-list 101 permit tcp any host 216.185.84.190 eq www
access-list 101 permit ip any host 216.185.84.190
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 199.212.17.35 host 216.185.84.62 eq ntp
access-list 101 permit udp host 199.212.17.34 host 216.185.84.62 eq ntp
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any packet-too-big
access-list 101 deny ip any any log
banner motd ^CC
*** UNAUTHORIZED ACCESS IS PROHIBITED! ALL ACTIVITY IS LOGGED! ***
^C
!
line con 0
exec-timeout 9 0
password
logging synchronous
login
transport input none
line aux 0
line vty 0 3
exec-timeout 9 0
password
logging synchronous
login
line vty 4
exec-timeout 9 0
password
logging synchronous
login
transport input pad v120 telnet rlogin udptn
!
ASKER
Hello MarkDozier
Have you received my comments dated 10/20?
Have you received my comments dated 10/20?
copy the ACL from 'show running-config' into notepad or some text editor. You can then manipulate it and paste it into the router (config mode).
You can also do the lines individually.
What is your main goal ?