Site icon David Ramsden

Editing Cisco IOS ACLs

If you’ve administered Cisco PIX or ASA security appliances, you’ll know how easy editing ACLs is. If you want to insert a new rule in to an existing ACL you can easily insert it where you want. For example:

access-list outside_access_in line 12 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

 

This will insert the rule at position 12 of the outside_access_in ACL, pushing the existing rule at position 12 down to position 13 and re-ordering everything.

In Cisco IOS there’s no obvious way to do this when working with ACLs. A lot of the time people will copy the ACL out, edit it in a text editor, “no access-list” the ACL and then paste in the modified ACL. Which does work but can be risky when working remotely as it’s easy to lock yourself out of the IOS device. This can happen if you don’t remove the ACL from interfaces before deleting the ACL.

But you can edit ACLs on the IOS device itself when using an extended ACL. Lets create an ACL:

(config)# access-list 100 permit host 1.1.1.1 host 2.2.2.2 eq 80
(config)# access-list 100 deny ip any any log

 

If you view this ACL you’ll notice line numbers:

(config)#do sh access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 deny ip any any log

 

Lets say you need to add another rule before the deny (sequence number 20). Enter the extended ACL:

(config)# ip access-list extended 100

 

Now you can insert a new rule by specifying a sequence number less than the deny rule (which is sequence 20):

(config-ext-nacl)# 15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
(config-ext-nacl)# exit

 

If you view the ACL you’ll see the new rule:

(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
    20 deny ip any any log

 

What you can now do is resequence the ACL so that all the sequence numbers are sequential. For example if you wanted the sequence numbers to start at 10 and go up in increments of 10:

(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
    30 deny ip any any log

 

If you want to delete a specific rule:

(config)#ip access-list extended 100
(config-ext-nacl)#no 20
(config-ext-nacl)#exit
(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 deny ip any any log