[c-nsp] FWSM Access-control lists

Ben Steele ben.steele at internode.on.net
Tue Nov 11 02:40:04 EST 2008


If you just add all your line numbers the same it will automatically bump
the one its replacing up one.

Ie say your permit ip any any is at line 4, if you just insert all your
rules as line 4 you will find they bump each other up all the way to
whatever line number you get too with the original line 4 statement at the
very end.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
Sent: Tuesday, 11 November 2008 4:54 PM
To: Cisco Mailing list
Subject: [c-nsp] FWSM Access-control lists

Dear All,

Im having a production server subnet of around 150 servers ( 172.16.2.0/24)
and all of them are sitting behind FWSM. Current ACL applied is permit ip
any any.

Now we have got the details of one server communicating on some ports for
that we are going to apply the ACL. I came to know about the Line numbers in
ACE but for me its not working.

Say e.g. my LAN is untrusted (192.168.0.0/16)

access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq
www
access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq
smtp
access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq
445

now for any other traffic for particular server will be denied

access-list test line 500 extended permit ip any host 172.16.2.20
access-list test line 501 extended permit ip any any

the fascinating thing here is that when i issue "sh access-list" command. it
shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing
added later is appended.

 I want to have ip any any at line 15000 which will removed once all ACE for
each server are in place.

FWSM is running of 3.2

any ideas about getting line 500 & 501 and fixed at there respective places.

Thanks in advance

Hitesh Vinzoda
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008
7:53 AM



More information about the cisco-nsp mailing list