|
Home > Archive > alt.certification.cisco > April 2004 > Remove access-list
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Remove access-list
|
|
| Howard Huntley 2004-04-23, 6:25 pm |
| I purchased a router off ebay, The router has a standard access-list
on s 0 which will not allow me to access it though the s 0. How can I
configure the port with no access-list or arthentication?
| |
|
|
On Fri, 23 Apr 2004, Howard Huntley wrote:
> I purchased a router off ebay, The router has a standard access-list
> on s 0 which will not allow me to access it though the s 0. How can I
> configure the port with no access-list or arthentication?
>
Go to config mode.
(config)# no access-list #
(config)# interface s0
(config-int)#no access-group #
Doan
| |
| Phillip Remaker 2004-04-24, 12:25 pm |
| I recommend the reverse order, if you happen to be coming in through the
interface where the access list is applied.
> (config)# interface s0
> (config-int)#no access-group #
> (config)# no access-list #
If you have an interface access-group applied and delete the access-list,
the router will assume the posture of "no access-list == no access." That
is a safeguard: If you accidentally delete an access list **ALL** accesss
is denied. It is presumed that it is preferable to shutdown access than to
inadvertently open a security hole.
This is the voice of experience. If you come in through the protected
interface and delete the access list, you are locked out (D'ohh!!) If you
are changing an access list on a 'hot' network, is is best to do it from the
inside, where the order does not matter, *OR* create a new access-list and
then point the access-group to the new access-list.
| |
| Walter Roberson 2004-04-25, 11:28 pm |
| In article <Wrvic.517$R44.312@newssvr27.news.prodigy.com>,
Phillip Remaker <rekamerpillihp-usenet1@yahoo.com> wrote:
:If you have an interface access-group applied and delete the access-list,
:the router will assume the posture of "no access-list == no access." That
:is a safeguard: If you accidentally delete an access list **ALL** accesss
:is denied. It is presumed that it is preferable to shutdown access than to
:inadvertently open a security hole.
Was that recently changed, Phillip? Because it wasn't that way
historically.
http://www.cisco.com/en/US/products...bf.html#1017069
ip access-group
Usage Guideliness
When you apply an ACL that has not yet been defined to an interface,
the software will act as if the ACL has not been applied to the
interface and will accept all packets. Remember this behavior if you
use undefined ACLs as a means of security in your network.
:This is the voice of experience. If you come in through the protected
:interface and delete the access list, you are locked out (D'ohh!!)
Does that perhaps only apply to vty's?
:If you
:are changing an access list on a 'hot' network, is is best to do it from the
:inside, where the order does not matter, *OR* create a new access-list and
:then point the access-group to the new access-list.
What my mama always told me was that the undefined access-list permits
everything, and that the danger is that if you then go into
config term and start typing in the access-list, then as soon as the
very first line is in place, the "implicit deny all" rule comes into
effect, locking you out if that first line didn't happen to be a
line permitting you access. That's why Sis always recommended
"reload in 5 minutes" and tftp'ing in the complete new access-list
if I didnt want to bother with the access-group switcheroo .
--
Before responding, take into account the possibility that the Universe
was created just an instant ago, and that you have not actually read
anything, but were instead created intact with a memory of having read it.
| |
| Phillip Remaker 2004-04-26, 3:38 pm |
| I just did some digging: You (and the docs) are correct. My bad. ip
access-group will pass packets in the absence of an access-list.
Thinking back, I think my issue was related to CHANGING a live access list.
where once I edited the list, I managed to lock myself out.
Thanks for correcting my poor memory.
> Was that recently changed, Phillip? Because it wasn't that way
> historically.
>
>
http://www.cisco.com/en/US/products...bf.html#1017069
| |
| Dave Phelps 2004-04-27, 7:32 am |
| In article <1083004765.255662@sj-nntpcache-3>, remaker@cisco.com says...
> I just did some digging: You (and the docs) are correct. My bad. ip
> access-group will pass packets in the absence of an access-list.
>
> Thinking back, I think my issue was related to CHANGING a live access list.
> where once I edited the list, I managed to lock myself out.
Very true. I've done this myself. I am forever indebted to the 'reload in x' command.
--
Dave Phelps
DD Networks
www.ddnets.com
deadspam=tippenring
| |
| Ticking Timebomb 2004-04-28, 11:32 am |
| "Howard Huntley" <hhuntleyjr@comcast.net> wrote in message
news:4g3j80hr7d00hcfh69v7go3g9
ut0rnmjuh@4ax.com...
> I purchased a router off ebay, The router has a standard access-list
> on s 0 which will not allow me to access it though the s 0. How can I
> configure the port with no access-list or arthentication?
I am guessing you are able to log in through e0 or console?
enable
sho conf
(under interface serial 0 you will see the offending access-list, copy it to
clipboard or write it down word for word)
conf term
int s0
no <paste the access-list here>
exit
exit
copy run start
|
|
|
|
|