[fw-wiz] RE: Cisco acls

Matthew.Harvey_at_usdoj.gov
Date: 03/02/05

  • Next message: Paul Melson: "RE: [fw-wiz] Cisco acls"
    To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 02 Mar 2005 13:00:24 -0500 (EST)
    
    

    Cisco's recommendation when updating ACLs is to un-apply the ACL to any interfaces to which it is applied, perform any editing or updates, and then re-apply the ACL. So if you follow their recommendation, you are un-protected in the intervening time (A minute or so, maybe? Depends on how complex the ACL is and how many interfaces use it.)

    If you leave the ACL on while editing, all changes made to it take effect immediately, like most things in IOS. The main hazard there is that your last line is probably "permit any" (unless you're essentially using your router as a firewall), and from the time you start creating your ACL to the time you add that last line you are blocking nearly everything.

    A good solution is to create a NEW ACL with your new rules, and then apply that to the relevant interfaces. This makes for a nearly instantaneous transition.

    -----Original Message-----
    From: "Eric Appelboom" <eric@mweb.com>
    To: <firewall-wizards@honor.icsalabs.com>
    Subject: [fw-wiz] Cisco acls

    Hi,

    I would appreciate some comments with regard to the extensive use of
    cisco routers acls
    To protect numerous networks.

    My concern is that when someone amends an access-list one generally
    enters, no access-list 177 and
    Then pastes in the new access list. Does this mean that for a period of
    time there is no protection on the
    Network that the acls applies?

    Best Regards
    Eric
    MWEB: S.A.'s trusted Internet Service Provider. Just Like that.=20
    To join, click here or call 08600 32000.=20

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Melson: "RE: [fw-wiz] Cisco acls"

    Relevant Pages

    • Re: [fw-wiz] Cisco acls
      ... If you have a tftp server handy you can tftp the modified ACLs section ... To answer your question, yes, manually pasting will leave your router ... > To protect numerous networks. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Cisco acls
      ... Also, as you paste in the ACL, the protection is applied incrementally (line ... connection you are pasting from - leading to "half pasted" ACLs. ... access-group blah in' statement on the interface where they are applied, ... > To protect numerous networks. ...
      (Firewall-Wizards)