Multiple ACLs on one Interface? 3

[MKW]

Is it possible to apply more than one ACL to a single interface. I need to block a certain address from sending mail to our server, but when I add the following entry:

deny tcp host 207.xxx.xxx.xxx any

it gets put at the bottom of the list below the entry that allows smtp traffic in.

So I was wondering if I could write a new list and apply that before it went to the next list. Any help or suggestions would be great. I need to stop this guy 527 mail messages and counting.

 

[wybnormal]

If memory serves correctly, you get one access list per interface. You will need to build a new list which is as simple as a cut and paste of the old one plus your mods. Just delete the current one first. Dont forget that there is a "deny all" at the end of the access list even if you dont add it to the text. So remember to let something through at the last line

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[DanielBowen]

Create all your ACL's as word documents. This way, you can make changes to them with out having to write the whole list again. You may have two IP access lists per interface, as long as they are not going in the same direction (ie one inbound and one outbound).

Dan,

 

[MKW]

ok the inbound/outbound ACLs make sense. My question is once I have the word document created, how do I get that into the routers memory? Router is upstairs in a locked room so the only way I have to get at it is through the LAN, company won't spring for a Laptop, cabeling, or dedicated PC to console in. I have a TFTP server set up that I use to back up the flash memory and IOS.

 

[sobak]

MKW --

All you have to do is open a telnet session with the router (preferably to an interface that does not have the AC)

1. Copy the new ACL to the computers clip board.
2. Delete the old ACL on the router
3. Choose "EDIT" then "PASTE" on the telnet window.

This should paste the new ACL into the routers running-config and make it avaiable to use.

EX:

I edit access-list 101 in Word.
Copy the new list to the system clipboard
Open a Telnet Session with the router
enter into the Global Config (config t)
type no access-list 101
then choose "EDIT" the "PASTE" on my Telnet session.

If my access-list is in proper syntax the router will accept it and process it.

Make sure you write the new config to NVRAM (speaking from experience)

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[MKW]

SOBAK,

I just tried that out, do I have to put the commands in front of the info I cut and paste in? DO I have to do it one line at a time. I tried it out on a test ACL first, and this is what I got:

Made this list:


Standard IP access list 1
permit any
deny all

This is what I did and got back:

MTI1605R(config)#Standard IP access list 1
^
% Invalid input detected at '^' marker.

MTI1605R(config)# permit any
^
% Invalid input detected at '^' marker.

MTI1605R(config)# deny all
^
% Invalid input detected at '^' marker.

MTI1605R(config)# permit any
^
% Invalid input detected at '^' marker.

MTI1605R(config)# deny all show access-list
^
% Invalid input detected at '^' marker.

MTI1605R(config)#^Z

 

[bobthecat]

Hi, first open your telnet session, log onto the router, enter conf t and past your access list in.
Here is an example to indicate the format (but dont use this list!!!!!

access-list 1002 permit 2.0080.5f0d.b6e9 640
access-list 1002 permit 2.0080.5f85.9539 640
access-list 1002 permit 2.0080.5fed.defe 640
access-list 1002 permit 2.0008.c70d.7158 640
access-list 1002 permit 2.0080.5f23.e613 640
access-list 1002 permit 2.0080.5ff5.a859 640
access-list 1002 permit 2.0080.5f15.d4bf 640

be carefull and chect your list is correct before pasting it in.

Bob ^^

 

[MKW]

That worked like a charm. Thank you everyone for your help and patience.