ACL change is locking me out of remote router 1

[hinesjrh]

I could use some feedback on what I am doing wrong in my ACL change process, which is causing me to drop communication with a remote router during the change process. Fortunately I start the process with a reload in 10, so that the router reboots and goes back to original config. That doesn't get my changes implemented though!

I have attempted the following steps twice, and dropped communication both times. My end goal is to open UDP port 47808 both in and out bound. On my serial (external) interface at this remote router I have one inbound (#102) and one outbound (#101) access list that I want to add "permit udp any any eq 47808". Here's the steps I take (what am I doing wrong?):

1) no ip access-group 102 in
no ip access-group 101 out

2) no access-list 102 in
no access-list 101 out

3) ip access-group 101 out
ip access-group 102 in

4) I paste in the following access-list lines of text

access-list 101 permit udp any any eq 47808
access-list 101 deny udp any any eq 8998 log
access-list 101 deny tcp any any eq 402 log
access-list 101 deny tcp any any range 666 765 log
access-list 101 deny udp any any eq 707 log
access-list 101 permit udp any host 10.1.1.119 eq tftp
access-list 101 permit udp any host 10.1.1.119 eq syslog
access-list 101 deny udp any any eq tftp log
access-list 101 permit tcp any host 10.1.0.150 eq 135
access-list 101 permit tcp any host 10.1.0.152 eq 135
access-list 101 permit tcp any host 10.1.0.154 eq 135
access-list 101 permit tcp 10.0.0.16 0.255.0.0 any eq 135
access-list 101 permit tcp any host 10.253.0.65 eq 135
access-list 101 permit tcp any host 10.253.0.66 eq 135
access-list 101 permit tcp any host 10.1.0.65 eq 135
access-list 101 permit tcp any host 10.1.0.66 eq 135
access-list 101 permit tcp any host 10.253.0.126 eq 135
access-list 101 deny tcp any any eq 135 log
access-list 101 permit icmp any host 10.1.1.119
access-list 101 permit icmp host 10.1.1.119 any
access-list 101 permit icmp any host 10.1.0.134
access-list 101 permit icmp any host 10.1.1.172
access-list 101 permit icmp host 10.1.1.172 any
access-list 101 permit icmp any host 10.253.0.65
access-list 101 permit icmp any host 10.253.0.66
access-list 101 permit icmp any host 10.1.0.65
access-list 101 permit icmp any host 10.1.0.66
access-list 101 permit icmp any host 10.1.0.150
access-list 101 permit icmp any host 10.1.0.152
access-list 101 permit icmp any host 10.1.0.154
access-list 101 permit icmp any host 10.253.0.126
access-list 101 permit icmp 10.0.0.16 0.255.0.0 any
access-list 101 deny icmp any any log
access-list 101 permit ip any any


access-list 102 permit udp any any eq 47808
access-list 102 deny tcp any any range 666 765 log
access-list 102 deny udp any any eq 707 log
access-list 102 deny udp any any eq 995 log
access-list 102 deny udp any any eq 996 log
access-list 102 deny udp any any eq 997 log
access-list 102 deny udp any any eq 998 log
access-list 102 deny udp any any eq 999 log
access-list 102 permit ip any any


As the 102 list begins to paste in the connection becomes very slow and then drops. The last things to get displayed on the screen is the "access-list 102 deny udp any any eq 997 log" line.

 

[BuckWeet]

2 things:

Look at using named ACLs, that way you can do line #'s entries.. Easier for MACDs.


To fix your problem tho.. Swap task 3 & 4.. ACLs have an implicit deny at the end. You're calling an ACL before its completely in the config.. Once you paste in that first line of the ACL it becomes active and the 'implicit deny ip any any' comes into effect before you can even get the ACL fully pasted in.


Hope this helps

BuckWeet

 

[hinesjrh]

THANKS Buckweet! That's what I get for doing these things in the middle of the night.