[c-nsp] FWSM Access-control lists

Hitesh Vinzoda vinzoda.hitesh at gmail.com
Tue Nov 11 01:23:33 EST 2008


Dear All,

Im having a production server subnet of around 150 servers ( 172.16.2.0/24)
and all of them are sitting behind FWSM. Current ACL applied is permit ip
any any.

Now we have got the details of one server communicating on some ports for
that we are going to apply the ACL. I came to know about the Line numbers in
ACE but for me its not working.

Say e.g. my LAN is untrusted (192.168.0.0/16)

access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq
www
access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq
smtp
access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq
445

now for any other traffic for particular server will be denied

access-list test line 500 extended permit ip any host 172.16.2.20
access-list test line 501 extended permit ip any any

the fascinating thing here is that when i issue "sh access-list" command. it
shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing
added later is appended.

 I want to have ip any any at line 15000 which will removed once all ACE for
each server are in place.

FWSM is running of 3.2

any ideas about getting line 500 & 501 and fixed at there respective places.

Thanks in advance

Hitesh Vinzoda


More information about the cisco-nsp mailing list