Remove access-list

Discussion in 'Cisco' started by Howard Huntley, Apr 23, 2004.

  1. I purchased a router off ebay, The router has a standard access-list
    on s 0 which will not allow me to access it though the s 0. How can I
    configure the port with no access-list or arthentication?
     
    Howard Huntley, Apr 23, 2004
    #1
    1. Advertisements

  2. Howard Huntley

    Doan Guest

    Go to config mode.
    (config)# no access-list #
    (config)# interface s0
    (config-int)#no access-group #

    Doan
     
    Doan, Apr 23, 2004
    #2
    1. Advertisements

  3. I recommend the reverse order, if you happen to be coming in through the
    interface where the access list is applied.
    If you have an interface access-group applied and delete the access-list,
    the router will assume the posture of "no access-list == no access." That
    is a safeguard: If you accidentally delete an access list **ALL** accesss
    is denied. It is presumed that it is preferable to shutdown access than to
    inadvertently open a security hole.

    This is the voice of experience. If you come in through the protected
    interface and delete the access list, you are locked out (D'ohh!!) If you
    are changing an access list on a 'hot' network, is is best to do it from the
    inside, where the order does not matter, *OR* create a new access-list and
    then point the access-group to the new access-list.
     
    Phillip Remaker, Apr 24, 2004
    #3
  4. :If you have an interface access-group applied and delete the access-list,
    :the router will assume the posture of "no access-list == no access." That
    :is a safeguard: If you accidentally delete an access list **ALL** accesss
    :is denied. It is presumed that it is preferable to shutdown access than to
    :inadvertently open a security hole.

    Was that recently changed, Phillip? Because it wasn't that way
    historically.

    http://www.cisco.com/en/US/products...on_guide_chapter09186a008007edbf.html#1017069

    ip access-group

    Usage Guideliness

    When you apply an ACL that has not yet been defined to an interface,
    the software will act as if the ACL has not been applied to the
    interface and will accept all packets. Remember this behavior if you
    use undefined ACLs as a means of security in your network.


    :This is the voice of experience. If you come in through the protected
    :interface and delete the access list, you are locked out (D'ohh!!)

    Does that perhaps only apply to vty's?

    :If you
    :are changing an access list on a 'hot' network, is is best to do it from the
    :inside, where the order does not matter, *OR* create a new access-list and
    :then point the access-group to the new access-list.

    What my mama always told me was that the undefined access-list permits
    everything, and that the danger is that if you then go into
    config term and start typing in the access-list, then as soon as the
    very first line is in place, the "implicit deny all" rule comes into
    effect, locking you out if that first line didn't happen to be a
    line permitting you access. That's why Sis always recommended
    "reload in 5 minutes" and tftp'ing in the complete new access-list
    if I didnt want to bother with the access-group switcheroo .
     
    Walter Roberson, Apr 26, 2004
    #4
  5. I just did some digging: You (and the docs) are correct. My bad. ip
    access-group will pass packets in the absence of an access-list.

    Thinking back, I think my issue was related to CHANGING a live access list.
    where once I edited the list, I managed to lock myself out.

    Thanks for correcting my poor memory.

    http://www.cisco.com/en/US/products...on_guide_chapter09186a008007edbf.html#1017069
     
    Phillip Remaker, Apr 26, 2004
    #5
  6. Howard Huntley

    Dave Phelps Guest

    Very true. I've done this myself. I am forever indebted to the 'reload in x' command.
     
    Dave Phelps, Apr 27, 2004
    #6
  7. I am guessing you are able to log in through e0 or console?

    enable
    sho conf
    (under interface serial 0 you will see the offending access-list, copy it to
    clipboard or write it down word for word)
    conf term
    int s0
    no <paste the access-list here>
    exit
    exit
    copy run start
     
    Ticking Timebomb, Apr 28, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.