Re: [fw-wiz] Cisco acls

• Previous message: Eric Appelboom: "[fw-wiz] Cisco acls"
• In reply to: Eric Appelboom: "[fw-wiz] Cisco acls"
• Next in thread: Bruce Smith: "RE: [fw-wiz] Cisco acls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Eric Appelboom" <eric@mweb.com>
Date: Mon, 28 Feb 2005 19:41:34 -0600 (CST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<quote who="Eric Appelboom">
> My concern is that when someone amends an access-list one generally
> enters, no access-list 177 and
> Then pastes in the new access list. Does this mean that for a period of
> time there is no protection on the Network that the acls applies?

Not in my unfortunate experience... Each ACL has an un-written "deny all"
as the last line. In my experiences, doing the "no access-list 177"
removes the ACL, but the application of that ACL to interfaces is still
there. Since the "access-list 177" is blank, it is by default a "deny
all" for all traffic until the lines are re-entered.

In our case, we would login to the router, do a "show acess-list 177",
copy that output to a text editor, save the original, make the
modifications, issue the "no access-list 177", then paste in the config
back to the router.

Don't change an ACL on the link you are accessing the router through!
Just a word of warning from someone who has been there and done just that!

Dan

- - - - -
"I do not fear computer,
I fear the lack of them."
 -- Isaac Asimov
GPG fingerprint:9EE8 ABAE 10D3 0B55 C536 E17A 3620 4DCA A533 19BF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCI8hONiBNyqUzGb8RAu7ZAJsFZV6x/FYAnTJhGfkh1oC2xfDp1QCgh4FR
gdoSlvQ1jAD3U2jcEh6QXVs=
=lEQ4
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Eric Appelboom: "[fw-wiz] Cisco acls"
• In reply to: Eric Appelboom: "[fw-wiz] Cisco acls"
• Next in thread: Bruce Smith: "RE: [fw-wiz] Cisco acls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: deny access ... If this is an edge router you'd like secure it a bit more, ... Subject: deny access ... ACL to block one host would effectively block all hosts. ... From interface config mode, ... (Security-Basics) Re: big security questions the deny access guy return ... > proxy and an iptables based firewall the last one have the webmail ... > is not a good idea to use the router as firewall is this write? ... Using snort on every server seems entirely excessive to me. ... Routers should have ACL rules in place to prevent bogus traffic (RFC ... (Security-Basics) RE: ACL design. ... both sides of this router are on private ... from some other network; at one point, it was common to see them ... What should be my minimal extended ACL? ... (Security-Basics) RES: Cisco IOS vulnerability ... It seems to me that implementing a best practice ACL filtering on internet ... Assunto: RE: Cisco IOS vulnerability ... Thinking about a perimeter router, i have one router with a "tcp any any ... world's premier technical IT security event! ... (Incidents) RE: Cisco ACL doubt ... Your mystification suggests that you have written "log-input" ... > I have the following ACL attached to the external serial (ISP ... > link) of my Cisco 805 Router. ... (Security-Basics)