whocaresaboutit
asked on
cisco ios delete firewall rule
i created a new fw access rules from 15 through 19... after the fact I tried closing the access rule using a "16 deny tcp..." instead of the "permit" statement, but I get a message saying "there is a duplicate rule"
at this point I need to know the delete statement for an access firewall rule
at this point I need to know the delete statement for an access firewall rule
ASKER
is that going to delete the access list xxxx ?
the last line that you entered deny....
or delete it from ASDM, for configure acl it is easyest.....
ASKER
deny to the last line doesn't work: this is after the fact, I have the command line on cache
only access is via serial
getting a: # Duplicate sequence number
ASKER
deny to the last line doesn't work: this is after the fact, I DONT have the command line on cache
only access is via serial not ASDM
getting a: # Duplicate sequence number
only access is via serial not ASDM
getting a: # Duplicate sequence number
could you shoe me the config?
and the ouput for programming?
and the ouput for programming?
It's kind of hard to tell unless you post access list.
Also:
Some versions of Cisco IOS do not allow you to delete an ACE; you can only delete the entire list.
There is an implicit deny any on access list. Do you need the last deny TCP statement?
Also:
Some versions of Cisco IOS do not allow you to delete an ACE; you can only delete the entire list.
There is an implicit deny any on access list. Do you need the last deny TCP statement?
do you have router or pix??
you putted this the Zone:Cisco PIX Firewall
you putted this the Zone:Cisco PIX Firewall
ASKER
it's a cisco uc520...
if you have router please show us the sh 'access-list' command output
ASKER
10 permit ip 10.0.0.250 0.0.0.1 10.0.0.0 0.0.0.255
14 permit tcp any host 55.55.55.55 eq pop3 (27 matches)
15 permit tcp any host 55.55.55.55 eq 3389 (5605 matches)
16 permit tcp any host 55.55.55.55 eq 443 (12 matches)
17 permit tcp any host 55.55.55.55 eq 22 (9732 matches)
18 permit tcp any host 55.55.55.55 eq ftp (18 matches)
19 permit tcp any host 55.55.55.55 eq smtp (67 matches)
20 permit udp any host 55.55.55.55 eq non500-isakmp (11045 matches)
30 permit udp any host 55.55.55.55 eq isakmp (99 matches)
40 permit esp any host 55.55.55.55(114 matches)
50 permit ahp any host 55.55.55.55
60 deny ip 10.1.10.0 0.0.0.3 any
70 deny ip 192.168.10.0 0.0.0.255 any
80 deny ip 10.1.1.0 0.0.0.255 any
90 permit udp any eq bootps any eq bootpc
100 permit icmp any any echo-reply
110 permit icmp any any time-exceeded
120 permit icmp any any unreachable (165 matches)
130 deny ip 10.0.0.0 0.255.255.255 any
140 deny ip 172.16.0.0 0.15.255.255 any
150 deny ip 192.168.0.0 0.0.255.255 any
160 deny ip 127.0.0.0 0.255.255.255 any
170 deny ip host 255.255.255.255 any
180 deny ip any any (12304 matches)
conf t
ip access-list extended xxx
no 180 deny ip any any
ip access-list extended xxx
no 180 deny ip any any
for example....
ASKER
cisco(config)#no 18 deny 55.55.55.55 any any
^
% Invalid input detected at '^' marker.
could you show me the whole cinfig?????
You do not need the deny any at the end of the access list. There is an implicit deny any on PIX acls.
it is not a pix, it is a router:)
The implicit deny any is also on Cisco router acls. also, if this is a router, you will not be able to delete one line of the ACL. You need to remove the ACL entirely and reenter it, line by line, correctly and sequentially. Just copy the correct information to a text file and copy/paste into conf t.
you able to delete the line?:)
ASKER
Nope... :)
Waiting for someone to figure it out without having to copy the config and go through the trouble of filtering sensitive information before posting it here...
Waiting for someone to figure it out without having to copy the config and go through the trouble of filtering sensitive information before posting it here...
try that I suggested:
what is the access-list name?? you not wrote us...
conf t
ip access-list extended xxx
no 18 permit tcp any host 55.55.55.55 eq ftp
what is the access-list name?? you not wrote us...
conf t
ip access-list extended xxx
no 18 permit tcp any host 55.55.55.55 eq ftp
ASKER
This is the result to that....
cisco(config)#no 18 deny 55.55.55.55 any any
^
% Invalid input detected at '^' marker.
cisco(config)#no 18 deny 55.55.55.55 any any
^
% Invalid input detected at '^' marker.
I may be wrong here (please tell me if I am) but you cannot delete one line from an ACL on a cisco router. You must delete the whole ACL, and type in each ACE one at a time.
did you putted before ip access-list extended xxx
where the xxx is the ACL name?????
where the xxx is the ACL name?????
SO, copy the ACL entries, modify them accordingly, delete the old ACL, and paste the new config into the routers conf t.
Apply it to the interface.
Just to clarify what your looking for:
You said: "at this point I need to know the delete statement for an access firewall rule"
The answer is you can't. not one single line, only the whole rule.
Apply it to the interface.
Just to clarify what your looking for:
You said: "at this point I need to know the delete statement for an access firewall rule"
The answer is you can't. not one single line, only the whole rule.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
no access-list xxxx
and go forward tyoe the new lines