Cisco Router Configuration - How do you know if an Access-List is being applied?

Hello Cisco Experts,

I have inherited a router that has a bunch of access-lists configured. Most of them are extended lists that seem to be not in use by the lines that is configured. I'm not questioning whether they should be used or not, I just want to find out how to know whether they are being applied or if not, I will delete them.

Also is there any reason why I should be careful if I delete a unused access-list? I will be taking over admin from here on.

Thanks!
LVL 1
katredrumAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Access lists can be applied to many things, not just interfaces.
They can be applied to interfaces
They can be used to define NAT traffic
They can be used to apply to route-maps
They can be used to define VPN traffic
You just need to see the whole config to see what acls are being applied where.
"show ip interface x/x" will tell you if any acls are applied to the interface.
If you need help, just post the config. Edit the public IP addresses and any text that gives out too much information..
0
katredrumAuthor Commented:
I will be on a trip so I will post back if I need assistance by Monday or Tuesday.
0
dylan_leggattCommented:
If the running-config is long and your paranoid about missing the list being applied somewhere you can do a

sh run | i <name_of_access-list>

If the output of this command is only the ACL you know its not being applied somewhere. If it returns anything else like IRmoore mentions above its probably in use
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

katredrumAuthor Commented:
dylan_leggatt, I tried the command you suggested and I am not confident because one access-list in know I need did not have any output after I ran the command.

Is it accurate when I do a show access-list command that if there is no matches, then the line is not in use? Or if not, why does some lines have matches (i.e. 10583 matches) and some doesn't. I am also not using the "log" entry at the end of each line.
0
katredrumAuthor Commented:
Here is my config. Can anyone help?

version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
 match  dscp ef
!
!
policy-map QOS
 class VOICE
  priority 512

!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 ip helper-address 192.168.37.4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.11
 encapsulation dot1Q 11
 ip address 192.168.5.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 description WAN Interface$FW_OUTSIDE$
 ip address (public_ip) 255.255.255.252
 ip access-group 113 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_out_100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
!
interface Serial1/0
 description P2P to Branch Office
 ip address 192.168.7.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny   ip any host 192.168.2.1
access-list 103 deny   ip any host 192.168.2.2
access-list 103 deny   ip any host 192.168.2.3
access-list 103 deny   ip any host 192.168.2.4
access-list 103 deny   ip any host 192.168.2.5
access-list 103 deny   ip any host 192.168.2.6
access-list 103 deny   ip any host 192.168.2.7
access-list 103 deny   ip any host 192.168.2.8
access-list 103 deny   ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny   ip host 192.168.1.1 any
access-list 103 deny   ip any 192.168.37.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny   ip (public_ip) 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny   ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny   ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address 110
!
route-map SDM_RMAP_5 permit 1
 match ip address 111
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 108
!
route-map SDM_RMAP_3 permit 1
 match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 transport input telnet ssh
line vty 5 15
 access-class 101 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
endversion 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
 match  dscp ef
!
!
policy-map QOS
 class VOICE
  priority 512

!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 ip helper-address 192.168.37.4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.11
 encapsulation dot1Q 11
 ip address 192.168.5.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 description WAN Interface$FW_OUTSIDE$
 ip address (public_ip) 255.255.255.252
 ip access-group 113 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_out_100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
!
interface Serial1/0
 description P2P to Branch Office
 ip address 192.168.7.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny   ip any host 192.168.2.1
access-list 103 deny   ip any host 192.168.2.2
access-list 103 deny   ip any host 192.168.2.3
access-list 103 deny   ip any host 192.168.2.4
access-list 103 deny   ip any host 192.168.2.5
access-list 103 deny   ip any host 192.168.2.6
access-list 103 deny   ip any host 192.168.2.7
access-list 103 deny   ip any host 192.168.2.8
access-list 103 deny   ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny   ip host 192.168.1.1 any
access-list 103 deny   ip any 192.168.37.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny   ip (public_ip) 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny   ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny   ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address 110
!
route-map SDM_RMAP_5 permit 1
 match ip address 111
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 108
!
route-map SDM_RMAP_3 permit 1
 match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 transport input telnet ssh
line vty 5 15
 access-class 101 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
0
CanalInsCommented:
Here you go. I hope this helps. I took the lines from the config and showed you how to tell if they are being applied




FastEthernet0/0 - access lists 106 and 114 applied here
ip access-group 106 in        
ip access-group 114 out



interface Serial0/0 - access list 113 applied here
ip access-group 113 in


ip http access-class 2 - access list 2 applied here


ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload  (SDM_RMAP_1 is aplied here, but below you can see that this also uses access-list 103)





route-map SDM_RMAP_4 permit 1
match ip address 110 - uses 110
!
route-map SDM_RMAP_5 permit 1
match ip address 111 - uses 111
!
route-map SDM_RMAP_1 permit 1
match ip address 103 - uses 103
!
route-map SDM_RMAP_2 permit 1
match ip address 108 - uses 108
!
route-map SDM_RMAP_3 permit 1
match ip address 109 - uses 109



line vty 0 4
access-class 100 in - uses 100


line vty 5 15
access-class 101 in - uses 101
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
route-map SDM_RMAP_1  is the only route-map actually being used, so really acls 110, 111, 108 and 109 can go away along with their respective route-maps.

acl 100 and 101 are the same and both are applied to different vty line groups. Recommend a single acl with a single line group, i.e.
 line vty 0 15
  access-class 100

Then remove acl 101

acl 2 is also same as 100 and 101, applied to http, so pick one of the 3 and apply it to all access class places.

Acl 104 is permit ip any any which is not necessary to apply, so you can remove it from the interface, then remove the acl.

Acl 106 also ends up with permit ip any any and is virtually useless and can be removed from the interface and deleted

Except for 3 of the last 4 entries of acl 113, it makes no sense at all and should be re-worked. After all, you do have the firewall inspect rules applied.

Overall, it seems like somebody got really happy with learning how acls work and just went to town.
 Time to re-evaluate the whole config.
0
katredrumAuthor Commented:
I would like to implement your suggestion regarding acl 100 and 101, but do not know what the difference is between line vty 0 4 and line vty 5 15. I remember it being some kind of permission with 15 being the highest but it's been a long time.

If I consolidate using your command line vty 0 15 will that allow both user's access to the router? We have a third party vendor for our phones that needs access to the router.

I believe acl 2 is for http for the sdm but not acl 100 and 101, those are for line vty access.

Do you know what acl 1 is for? I can't seem to figure that one out.
0
lrmooreCommented:
Does not look like acl 1 is applied anywhere.
The vty lines are telnet sessions into the router. By default it supports up to 16 simultanenous telnet sessions to the router itself. You cannot determine which group you will be assigned, except they are first come first served. Lines vty 0 4 must be exhausted with concurrent sessions before line vty 5 will be used. I would simply use acl 100 on 0-15 and delete 101 because 101 will virtually never be used and 100 includes the same subnet.
Acl 103 is a total mess. Since it is applied to the NAT process for the sole purpose of bypassing nat between the local lan and the VPN clients, it can be consolidated down to a simple acl like this:
 access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 access-list 103 permit ip any any
Done.
0
katredrumAuthor Commented:
Does access-list 103 have to have the deny entry before the permit entry? Also does this ACL also have a implicit deny at the end of the ACL?

Thanks for taking the time to help me understand this. I appreciate it a lot.


0
katredrumAuthor Commented:
I also am trying to consolidate the line vty 0 4 and line vty 5 15 but am running into an error. I can delete vty 5 15 but when I try to add a new line for vty 0 15 it just adds the line vty 5 15 again. So then i try to delete both vty 0 4 and 5 15, i can delete vty 5 15 but get this error when i try to delete vty 0 4.


Cisco(config)#no line vty 0 4
% Can't delete last 5 VTY lines

Is there a way to edit this instead of deleting it? I can't seem to consolidate to make the line vty 0 15.
0
lrmooreCommented:
Yes, acl 103 has to have the deny line first. Since the acle is applied to nat, it is saying this:
If your IP address is 192.168.1.x and you are going to 192.168.2.x then you are denied from the nat process.
If your IP address is 192.168.1.x and you are going anyplace else, you are permitted to use NAT.

For the vty, just simply do this:

line vty 0 15
 access-class 100 in

If it still shows two different groups in the config, they should at least now have the same acl 100, and you're done. Don't waste braincells trying to figure out why it shows up that way.

0
katredrumAuthor Commented:
Thank you so much for your input! I really appreciate it!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.