• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 516
  • Last Modified:

cisco ios delete firewall rule

i created a new fw access rules from 15 through 19... after the fact I tried closing the access rule using a "16 deny tcp..." instead of the "permit" statement, but I get a message saying "there is a duplicate rule"

at this point I need to know the delete statement for an access firewall rule
0
whocaresaboutit
Asked:
whocaresaboutit
  • 14
  • 8
  • 6
2 Solutions
 
Istvan KalmarCommented:
Please delete the last commad:

no access-list xxxx
and go forward tyoe the new lines
0
 
whocaresaboutitAuthor Commented:
is that going to delete the access list xxxx ?
0
 
Istvan KalmarCommented:
the last line that you entered deny....
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Istvan KalmarCommented:
or delete it from ASDM, for configure acl  it is easyest.....
0
 
whocaresaboutitAuthor Commented:

deny to the last line doesn't work: this is after the fact, I have the command line on cache

only access is via serial

getting a: # Duplicate sequence number
0
 
whocaresaboutitAuthor Commented:
deny to the last line doesn't work: this is after the fact, I DONT have the command line on cache

only access is via serial not ASDM

getting a: # Duplicate sequence number
0
 
Istvan KalmarCommented:
could you shoe me the config?
and the ouput for programming?
0
 
BumslawCommented:
It's kind of hard to tell unless you post access list.  

Also:

Some versions of Cisco IOS do not allow you to delete an ACE; you can only delete the entire list.

There is an implicit deny any on access list.  Do you need the last deny TCP statement?
0
 
Istvan KalmarCommented:
do you have router or pix??

you putted this the  Zone:Cisco PIX Firewall
0
 
whocaresaboutitAuthor Commented:
it's a cisco uc520...
0
 
Istvan KalmarCommented:
if you have router please show us the sh 'access-list' command output
0
 
whocaresaboutitAuthor Commented:

    10 permit ip 10.0.0.250 0.0.0.1 10.0.0.0 0.0.0.255
    14 permit tcp any host 55.55.55.55 eq pop3 (27 matches)
    15 permit tcp any host 55.55.55.55 eq 3389 (5605 matches)
    16 permit tcp any host 55.55.55.55 eq 443 (12 matches)
    17 permit tcp any host 55.55.55.55 eq 22 (9732 matches)
    18 permit tcp any host 55.55.55.55 eq ftp (18 matches)
    19 permit tcp any host 55.55.55.55 eq smtp (67 matches)
    20 permit udp any host 55.55.55.55 eq non500-isakmp (11045 matches)
    30 permit udp any host 55.55.55.55 eq isakmp (99 matches)
    40 permit esp any host 55.55.55.55(114 matches)
    50 permit ahp any host 55.55.55.55
    60 deny ip 10.1.10.0 0.0.0.3 any
    70 deny ip 192.168.10.0 0.0.0.255 any
    80 deny ip 10.1.1.0 0.0.0.255 any
    90 permit udp any eq bootps any eq bootpc
    100 permit icmp any any echo-reply
    110 permit icmp any any time-exceeded
    120 permit icmp any any unreachable (165 matches)
    130 deny ip 10.0.0.0 0.255.255.255 any
    140 deny ip 172.16.0.0 0.15.255.255 any
    150 deny ip 192.168.0.0 0.0.255.255 any
    160 deny ip 127.0.0.0 0.255.255.255 any
    170 deny ip host 255.255.255.255 any
    180 deny ip any any (12304 matches)
0
 
Istvan KalmarCommented:
conf t
 ip access-list extended xxx
no 180 deny ip any any
 
0
 
Istvan KalmarCommented:
for example....
0
 
whocaresaboutitAuthor Commented:

cisco(config)#no 18 deny 55.55.55.55 any any
                              ^
    % Invalid input detected at '^' marker.
0
 
Istvan KalmarCommented:
could you show me the whole cinfig?????
0
 
BumslawCommented:
You do not need the deny any at the end of the access list.  There is an implicit deny any on PIX acls.
0
 
Istvan KalmarCommented:
it is not a pix, it is a router:)
0
 
BumslawCommented:
The implicit deny any is also on Cisco router acls. also, if this is a router, you will not be able to delete one line of the ACL.  You need to remove the ACL entirely and reenter it, line by line, correctly and sequentially.  Just copy the correct information to a text file and copy/paste into conf t.
0
 
Istvan KalmarCommented:
you able to delete the line?:)
0
 
whocaresaboutitAuthor Commented:
Nope... :)

Waiting for someone to figure it out without having to copy the config and go through the trouble of filtering sensitive information before posting it here...
0
 
Istvan KalmarCommented:
try that I suggested:

what is the access-list name?? you not wrote us...

conf t
 ip access-list extended xxx
no 18 permit tcp any host 55.55.55.55 eq ftp

0
 
whocaresaboutitAuthor Commented:
This is the result to that....

cisco(config)#no 18 deny 55.55.55.55 any any
                              ^
    % Invalid input detected at '^' marker.
0
 
BumslawCommented:
I may be wrong here (please tell me if I am) but you cannot delete one line from an ACL on a cisco router.  You must delete the whole ACL, and type in each ACE one at a time.
0
 
Istvan KalmarCommented:
did you putted before  ip access-list extended xxx

where the xxx is the ACL name?????
0
 
BumslawCommented:
SO, copy the ACL entries, modify them accordingly, delete the old ACL, and paste the new config into the routers conf t.

Apply it to the interface.

Just to clarify what your looking for:
You said: "at this point I need to know the delete statement for an access firewall rule"

The answer is you can't.  not one single line, only the whole rule.
0
 
BumslawCommented:
I believe you can delete a line from a named ACL, but not a numbered ACL.  Just retype it in notepad and paste it into the CLI.
0
 
Istvan KalmarCommented:
please show us the config it will be better than we ping-pong....
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 14
  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now