Trouble after deleting a couple of access-list in remote Cisco router

Dear experts,

I cannot reenter a few access-list command lines after I deleted a couple that were not needed. Actually they are gone now.

This is the entry part that is trouble.

interface FastEthernet0/0
 ip address 74.xx.yy114 255.255.255.2xx
 ip access-group 105 in <---------- here I was trying to edit and went wrong
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable

There are bunch of access-list:

ip nat inside source list 100 interface FastEthernet0/0 overload
!
ip access-list extended Inet-Connection
 permit tcp any host 74.yy.xx.113 established
 permit ip host 173.xx.yy.18 host 74.yy.xx.113
 
 permit ip host 12.xx.yy.121 host 74.yy.xx.113
!
ip radius source-interface Loopback22
 access-list 99 permit 172.16.0.0 0.0.255.255
access-list 100 remark NAT Translations
access-list 100 deny   ip 172.16.16.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny   ip 172.16.16.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 deny   ip 172.16.17.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny   ip 172.16.17.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 172.16.17.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 173.xx.yy.0 0.0.0.255 any <--- 105 are gone now. I can't put bak'
access-list 105 permit ip 98.xx.yy.0 0.0.0.255 any
access-list 105 permit esp 98.xx.yy.0 0.0.0.255 any
access-list 105 permit esp 173.xx.yy.0 0.0.0.255 any
access-list 105 permit gre 173.xx.yy.0 0.0.0.255 any
access-list 105 permit gre 98.xx.yy.0 0.0.0.255 any
access-list 105 permit tcp any any established
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.0.31.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.0.0.255 any
access-list 105 deny   ip any any
access-list 105 permit gre 12.xx.yy.0 0.0.0.255 any
access-list 105 permit ip 12.xx.yy.0 0.0.0.255 any
access-list 105 permit esp 12.xx.yy.0 0.0.0.255 any
 access-list 106 deny   ip any 172.16.0.0 0.0.255.255
access-list 106 deny   ip any 10.0.0.0 0.25


everything that is "access-list 105" is no longer visible in the configuration.

How do I put them back? I am doing something wrong because every time I am trying to reenter them it disconnects me and I have to have some one in the remote location reboot the router so we can reconnect VPN. They lose internet access.

Any thoughts on this much appreciated.

Regards, M
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
You need to remove the access-list from the interface first, and then try to add the access-list commands, and finish it by putting the acl back on the interface.
0
rauenpcCommented:
Here's what happens. You probably did a "no access-list 105 blah blah", but that command removes the entire acl, not just the line. This is normal, but many times unfortunate. If you want to edit that acl, next time type in

show access-list 105
This will give you a numbered list of acl commands
ip access-list extended 105
this will get you into ACL configuration mode. From here you can do a "no [line number]" to remove a command, or "[new line number] permit/deny blah blah" to insert a new acl command.

Back to the issue at hand. With the ACL applied to the interface and the ACL being removed, this causes the switch to allow any traffic through because it has no rules to go off of. Keep in mind that at the end of every ACL there is an implicit deny. This means that the second you enter a SINGLE line on the acl there is an implicit deny at the end. As of the first line you enter, now the interface has rules to follow including the implicit deny.
So you enter
access-list 105 permit ip 173.xx.yy.0 0.0.0.255 any
and if your connection doesn't qualify for that rule, the implicit deny cuts you off and you won't even get the chance to enter the rest of the rules. Time for a reboot.

So you'll probably have better luck doing this:

reload in 10
config t
interface FastEthernet0/0
no ip access-group 105 in
exit
[enter all acl commands, double-check they are in the config and in the correct order]
interface FastEthernet0/0
ip access-group 105 in
exit
exit
reload cancel
wr


The reload commands are just a CYA so you don't have to ask a local person to reboot the router if I'm wrong and you get locked out again.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Don JohnstonInstructorCommented:
If you haven't saved the config, the 105 ACL is probably still in the startup-config.

Do a "show startup" then copy the access-list 105 commands and paste them into a text editor. Then you can paste them back into the running config.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thank you so much! You too donjohnston thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.