How to simplify your access-list changes on a cisco IOS Router. There is a manner how to do this.
The following steps you need to know or have to change are.
1. To know which access-list you need / want to change
2. The name of the access-list written as in the show running-config
3. Where in the access-list you want to put the new line.
1: First logon to your Cisco IOS Router device. And go to the Configuration mode.
Jyrki-877-nlbeks69#conf t
Enter configuration commands, one per line. End with CNTL/Z.
2: Second show the access-lists you are running on your IOS router
Jyrki-877-nlbeks69(config)#do sh run | begin ip access-list
3: You will get an output like below.
ip access-list extended ACL_Dialer10_IN
remark Deny internal networks
deny ip 192.168.21.0 0.0.0.255 any
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark dhcp van provider
permit udp any any eq bootpc
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark Standard WWW services
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq 22
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq www
permit tcp any any eq ident
permit tcp any any eq 443
permit tcp any any eq 143
permit tcp any any eq 993
remark GMAIL
permit tcp any any eq 995
remark Belastingdienst
permit tcp any any eq 587
remark Remote Desktop
permit tcp any any eq 3389
remark RWW
permit tcp any any eq 4125
permit udp any any eq 4125
remark LDAP
permit tcp any any eq 389
remark Rabobank Telebankieren Extra
permit tcp any any eq 2901
remark ABN-AMRO OfficeNet Extra
permit tcp host 193.172.44.45 any
permit tcp host 193.172.44.78 any
permit tcp host 194.151.107.44 any
permit tcp host 194.151.107.76 any
remark Windows Media
permit tcp any any eq 1755
remark Windows Messenger
permit tcp any any eq 1863
permit udp any any range 1024 65535
permit tcp any any range 6891 6900
remark Azureus Vuze
permit tcp any any eq 56740
remark NTP
permit udp any any eq ntp
remark SNMP
permit udp host 80.65.112.178 any eq snmp
permit udp 80.65.125.16 0.0.0.15 any eq snmp
remark ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
4: press ctrl+Q and your back on the configuration line. Copy / Past the name of the access-list
Jyrki-877-nlbeks69(config)#ip access-list extended ACL_Dialer10_IN
5: Your now entering the access-list configuration mode
Jyrki-877-nlbeks69(config-ext-nacl)#
6: show the access-list with the numbers in front.
Jyrki-877-nlbeks69(config-ext-nacl)#do sh ip access-list
Extended IP access list ACL_Dialer10_IN
10 deny ip 192.168.21.0 0.0.0.255 any
20 deny ip host 0.0.0.0 any
30 deny ip host 255.255.255.255 any
40 deny ip 10.0.0.0 0.255.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 169.254.0.0 0.0.255.255 any
70 deny ip 172.16.0.0 0.15.255.255 any
80 deny ip 192.168.0.0 0.0.255.255 any
90 deny ip 224.0.0.0 15.255.255.255 any
100 permit udp any any eq bootpc
110 permit udp any any eq isakmp
120 permit udp any any eq non500-isakmp
130 permit udp any eq non500-isakmp any
140 permit esp any any
150 permit gre any any
160 permit tcp any any eq 1723 (12 matches)
170 permit udp any any eq domain
180 permit udp any eq domain any (3 matches)
190 permit tcp any any eq ftp (77 matches)
200 permit tcp any any eq ftp-data (1 match)
210 permit tcp any any eq 22 (359 matches)
220 permit tcp any any eq smtp
230 permit tcp any any eq pop3 (8 matches)
240 permit tcp any any eq www (397 matches)
250 permit tcp any any eq ident
260 permit tcp any any eq 443 (205 matches)
270 permit tcp any any eq 143
280 permit tcp any any eq 993
290 permit tcp any any eq 995
300 permit tcp any any eq 587
310 permit tcp any any eq 3389 (23 matches)
320 permit tcp any any eq 4125
330 permit udp any any eq 4125
340 permit tcp any any eq 389
350 permit tcp any any eq 2901
360 permit tcp host 193.172.44.45 any
370 permit tcp host 193.172.44.78 any
380 permit tcp host 194.151.107.44 any
390 permit tcp host 194.151.107.76 any
400 permit tcp any any eq 1755
410 permit tcp any any eq 1863
420 permit udp any any range 1024 65535 (43302 matches)
430 permit tcp any any range 6891 6900
440 permit tcp any any eq 56740 (795300 matches)
450 permit udp any any eq ntp
460 permit udp any any eq snmp
470 permit udp any any eq snmp
480 permit icmp any any echo (242 matches)
490 permit icmp any any echo-reply
500 permit icmp any any packet-too-big
510 permit icmp any any time-exceeded (17 matches)
520 permit icmp any any unreachable (2491 matches)
530 deny icmp any any (9 matches)
540 deny tcp any range 0 65535 any range 0 65535 (1212 matches)
550 deny udp any range 0 65535 any range 0 65535 (47 matches)
560 deny ip any any
7: Copy an existing line from the access-list and modify this line. With a new number and protocol type.
Jyrki-877-nlbeks69(config-ext-nacl)#340 permit tcp any any eq 389
Jyrki-877-nlbeks69(config-ext-nacl)#341 permit tcp any any eq 873
8: Check if the changes are made by the sho ip access-list command.
Jyrki-877-nlbeks69(config-ext-nacl)#do sh ip access-list
Extended IP access list ACL_Dialer10_IN
10 deny ip 192.168.21.0 0.0.0.255 any
20 deny ip host 0.0.0.0 any
30 deny ip host 255.255.255.255 any
40 deny ip 10.0.0.0 0.255.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 169.254.0.0 0.0.255.255 any
70 deny ip 172.16.0.0 0.15.255.255 any
80 deny ip 192.168.0.0 0.0.255.255 any
90 deny ip 224.0.0.0 15.255.255.255 any
100 permit udp any any eq bootpc
110 permit udp any any eq isakmp
120 permit udp any any eq non500-isakmp
130 permit udp any eq non500-isakmp any
140 permit esp any any
150 permit gre any any
160 permit tcp any any eq 1723 (12 matches)
170 permit udp any any eq domain
180 permit udp any eq domain any (3 matches)
190 permit tcp any any eq ftp (77 matches)
200 permit tcp any any eq ftp-data (1 match)
210 permit tcp any any eq 22 (359 matches)
220 permit tcp any any eq smtp
230 permit tcp any any eq pop3 (8 matches)
240 permit tcp any any eq www (397 matches)
250 permit tcp any any eq ident
260 permit tcp any any eq 443 (205 matches)
270 permit tcp any any eq 143
280 permit tcp any any eq 993
290 permit tcp any any eq 995
300 permit tcp any any eq 587
310 permit tcp any any eq 3389 (23 matches)
320 permit tcp any any eq 4125
330 permit udp any any eq 4125
340 permit tcp any any eq 389
341 permit tcp any any eq 873 <====
350 permit tcp any any eq 2901
360 permit tcp host 193.172.44.45 any
370 permit tcp host 193.172.44.78 any
380 permit tcp host 194.151.107.44 any
390 permit tcp host 194.151.107.76 any
400 permit tcp any any eq 1755
410 permit tcp any any eq 1863
420 permit udp any any range 1024 65535 (43302 matches)
430 permit tcp any any range 6891 6900
440 permit tcp any any eq 56740 (795300 matches)
450 permit udp any any eq snmp
470 permit udp any any eq snmp
480 permit icmp any any echo (242 matches)
490 permit icmp any any echo-reply
500 permit icmp any any packet-too-big
510 permit icmp any any time-exceeded (17 matches)
520 permit icmp any any unreachable (2491 matches)
530 deny icmp any any (9 matches)
540 deny tcp any range 0 65535 any range 0 65535 (1212 matches)
550 deny udp any range 0 65535 any range 0 65535 (47 matches)
560 deny ip any any
9: If the changes are correct you could end the configuration mode and save your configuration.
Jyrki-877-nlbeks69(config-ext-nacl)#end
Jyrki-877-nlbeks69#wr
Building configuration…
[OK]