Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.
Lost with Cisco access lists...
Hi,
I'm checking the configuration of one Cisco 890 series router and I'm a little bit confused about how access lists are set to interfaces.
The router has configured 7 extended access lists, but in the configuration I see that only one access list is set on vlan1 interface. On no other interfaces is set any other access list.
Also if I execute "show ip interface | include line protocol|access list" the situation is no different.
On the VLAN1 I can see set same one inbound access list. No others have set access list.
FE0 and FE8 have line protocol up, all others are down.
The strange thing is that if I execute "sh access-list" command, I can see that on TWO (one set on VLAN1 and another one) access lists are counted matches and the numbers are changing - so they are active and in use...
I know, that my cisco knowledge is a little rusty, but that much...
I would be very happy if someone could help me with this enigma.
Thank you!
I'm checking the configuration of one Cisco 890 series router and I'm a little bit confused about how access lists are set to interfaces.
The router has configured 7 extended access lists, but in the configuration I see that only one access list is set on vlan1 interface. On no other interfaces is set any other access list.
Also if I execute "show ip interface | include line protocol|access list" the situation is no different.
On the VLAN1 I can see set same one inbound access list. No others have set access list.
FE0 and FE8 have line protocol up, all others are down.
The strange thing is that if I execute "sh access-list" command, I can see that on TWO (one set on VLAN1 and another one) access lists are counted matches and the numbers are changing - so they are active and in use...
I know, that my cisco knowledge is a little rusty, but that much...
I would be very happy if someone could help me with this enigma.
Thank you!
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Can you attach the config for us to have a look at, suitably sanitised to hide any personal information of course.
Thanks for your answers.
Yes, I know, that I can assign max two access lists to each interface - inbound and outbound.
What is confusing me that I have configured multiple access lists, but only one is assigned to an interface. All others have no assignation, but at least another one is active - which I presume from changes in number of matched packets.
If access list is used for let say NAT, it is probably not assigned to an interface?
Or they always needs to be assigned to an interface?
If not, how do I know it is used for NAT or something else?
Right now I don't have access to the configuration, but in VLAN1 configuration section is only line something like: "access-group stop_in in"
And there are then just configurations of access-lists themself
access-list extended stop_in...
permit...
permit...
deny...
access-list extended inbound
permit...
deny...
access-list extended vpn_client_name
permit...
...
(Sorry for bad example)
Yes, I know, that I can assign max two access lists to each interface - inbound and outbound.
What is confusing me that I have configured multiple access lists, but only one is assigned to an interface. All others have no assignation, but at least another one is active - which I presume from changes in number of matched packets.
If access list is used for let say NAT, it is probably not assigned to an interface?
Or they always needs to be assigned to an interface?
If not, how do I know it is used for NAT or something else?
Right now I don't have access to the configuration, but in VLAN1 configuration section is only line something like: "access-group stop_in in"
And there are then just configurations of access-lists themself
access-list extended stop_in...
permit...
permit...
deny...
access-list extended inbound
permit...
deny...
access-list extended vpn_client_name
permit...
...
(Sorry for bad example)
If access list is used for let say NAT, it is probably not assigned to an interface?No, it is not. ACl applies to NAT in statement like
ip nat inside source list 10 ....
Many access lists are never applied to interfaces...
route map PBR permit 10
match ip address 10
set next-hop 192.168.0.2
in both cases access-list 10 is used and it is not applied to any interface
If you post the config, that would help.
But I see this all the time. People create a new ACL, apply it to an interface that had an old ACL. But then they leave the old ACL's.
I've run across routers that have literally dozens of unused ACL's. Some dating back 3 or 4 years.
But I see this all the time. People create a new ACL, apply it to an interface that had an old ACL. But then they leave the old ACL's.
I've run across routers that have literally dozens of unused ACL's. Some dating back 3 or 4 years.
I will need to check the configuration again, but knowing that some access lists have very specific names like NOSPAM, VPN-CLIENT I'm pretty sure that are not mentioned anywhere except at acl configuration.
But there are some not so specific like NAT, INBOUND that I will need to double check. I think that at least acl named NAT is the one that is confirmed to be active. But at least they they are not named with numbers :)
Do you have any link where are listed most of the examples of how can be access lists used?
@Don: That was also my thought, but then I saw that another presumably unused acl is in fact active. That confused me. Is it possible that some acls do not count matched packets?
I will post my findings tomorrow. Thank you for your help!
But there are some not so specific like NAT, INBOUND that I will need to double check. I think that at least acl named NAT is the one that is confirmed to be active. But at least they they are not named with numbers :)
Do you have any link where are listed most of the examples of how can be access lists used?
@Don: That was also my thought, but then I saw that another presumably unused acl is in fact active. That confused me. Is it possible that some acls do not count matched packets?
I will post my findings tomorrow. Thank you for your help!
I guess best way to check are some ACLs active is to check are they used somewhere.
# show access-lists
# show run | incl <ACL name> <-- in this example above it is 99
If only ACL is listed, then it is not in use.
And also before you delete any access list, at least create backup of running config on flash.
# copy run flash:
# show access-lists
# show access-lists
Standard IP access list 99
10 permit 192.168.0.0, wildcard bits 0.0.255.255 (296002 matches)
# show run | incl <ACL name> <-- in this example above it is 99
#sh run | incl 99
access-list 99 permit 192.168.0.0 0.0.255.255
ip nat source list 99 interface FastEthernet4 overload
If only ACL is listed, then it is not in use.
And also before you delete any access list, at least create backup of running config on flash.
# copy run flash:
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Here are results of the access list lookup:
access-lists.txt
Can you please confirm my thinking:
- acl MAIL is active and applied to VLAN1 int.
- acl EXTERNAL is inactive
- acl NAT is active and applies to NAT config on int Fe8
- acl NOMAIL is inactive
- acl OUTSIDE is inactive
- both acl VPN-CLIENT1 & 2 are active, applied to VPN dial-in, but apparently not in use lately - no matches displayed in "sh access-lists"
I hope I'm correct.
access-lists.txt
Can you please confirm my thinking:
- acl MAIL is active and applied to VLAN1 int.
- acl EXTERNAL is inactive
- acl NAT is active and applies to NAT config on int Fe8
- acl NOMAIL is inactive
- acl OUTSIDE is inactive
- both acl VPN-CLIENT1 & 2 are active, applied to VPN dial-in, but apparently not in use lately - no matches displayed in "sh access-lists"
I hope I'm correct.
Yes, it is always good to have backup...
Can I pigtail this thread with another related yes/no question:
If there is configured another access list with name "inside" it probably has nothing to do with "ip nat inside" commands?
Examples:
interface Vlan1
description inside
ip address 192.168.1.1 255.255.255.0
ip inspect fw out
ip nat inside
or
ip nat inside source list nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.1.3 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.3 1723 interface Dialer1 1723
Can I pigtail this thread with another related yes/no question:
If there is configured another access list with name "inside" it probably has nothing to do with "ip nat inside" commands?
Examples:
interface Vlan1
description inside
ip address 192.168.1.1 255.255.255.0
ip inspect fw out
ip nat inside
or
ip nat inside source list nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.1.3 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.3 1723 interface Dialer1 1723
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
ACL in Cisco world are used for many things...
One ACL is probably for NAT, other who knows... (route-maps , class-maps, SNMP access......)