How to edit a cisco router access list

This little document will show you the necessary steps required to edit a Cisco Router 2503 (don’t know if it’s the same for other routers). However it does not give you all the different access-list configuration options, it just shows you the best way to edit the access-list safely. Disclaimer time: as ever if anything goes wrong (i.e. you hose your router configuration) it’s not my fault and I will not be held responsible.

Right now that we dispensed with the formalities on with the task at hand. Telnet into your router and login. Once logged in type en to enable the interface. You will be required to enter an additional password.

First we are going to create a copy of the current configuration. From the toolbar of your telnet program ( Iuse the standard Windows telnet program), select Terminal and Start Logging (note you will have to specify the file name and location, e.g.: C: emp elnet.log). At the command prompt type wr t. This command displays the content of your current config file and because Logging is enabled it copies the content to the C:Temp elnet.log file you created earlier.

Click TerminalStop Logging and logout of your session with the router. Next open Notepad and load you telnet.log file. Scroll down until you see a list looking something like this:
access-list 100 permit ip any any
access-list 103 permit ip host 10.10.10.10 any
access-list 103 permit icmp host 10.10.10.10 any
access-list 103 permit icmp host 10.10.10.11 any

Now cut the entire list where you see access-list 103 and paste it just beneath the last 103 entry. This is the list we are going to modify. Save the file as under a different name before doing any editing. Once that is done change all the 103 entries to 104. Using the example above, your access list should now look something like this:
access-list 100 permit ip any any
access-list 103 permit ip host 10.10.10.10 any
access-list 103 permit icmp host 10.10.10.10 any
access-list 103 permit icmp host 10.10.10.11 any
access-list 104 permit ip host 10.10.10.10 any
access-list 104 permit icmp host 10.10.10.10 any
access-list 104 permit icmp host 10.10.10.11 any

Now you can safely edit the access-list to reflect your access requirements. For all those of you who want to know what different access-list options there are I will in the near future try to provide another document introducing some of the concepts.

Ok once you have carried your modifications highlight the lates access-list, i.e. 104 and copy it. Now log back in to your cisco router and enable the interface again. First type conf, which takes you to the config mode and hit return once you see this message:
Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one poer line. End with CNTL/Z.

Now type int serNumber (where Number is the number of the interface you wish to edit, e.g. 0 so you would type int ser0). First we are going to disable the existing access-list:
no ip access-group 103 in

Note: where 103 is the number of your access list and it controls inbound traffic.

Type exit and then go to Edit and choose the paste option. All the entries you created for 104 should now be added to your existing configuration file. And now the moment of truth. Go back to edit your interface (i.e. int serNumber) and type: ip access-group 104 in (where 104 is your new access-list). Hit CNTL and type wr t ro review your config file.

Optional things:
To save this config to your start up config type: save run start
If you wish to tidy up your access-list, i.e. do not have all the 103, 104, 105 modfications listed go back into conf and type no access-list 103 (where 103 is the list you wish to remove).

That’s all folks!