Cisco 1721 SDM access list issue

metallica1973 · 09-15-2006, 04:02 PM

I accidently block access to the router from a rule in the access list of the router. I can connect to it from the console but I am not to familiar yet with the CLI of Cisco. Can somebody please guide me to this mess. If I can delete it from the console then I can get back in to the giu and finish up faster. Also, why is it that when the router was bought, when accessing through the GUI it only has certain modules available and you have to upgrade the SDM or Cisco IOS on the router. What a pain in the @#$@# to have to do that from the start. You would imagine that it Cisco would try and make things easier that harder!

acid_kewpie · 09-15-2006, 04:55 PM

ok, well it's me again... hurrah!

what have you actually applied the acl to? if you know what the acl is called then just run "sh run" in enable mode and see where the access list is being applied. then go into that interface or whatever it is and remove it.

Code:

password:xxxxxx
router>en               <--- normal mode here
password:zzzzzzz
router#sh run           <--- enable mode started here
Generating Configuration...
[snip...]
int FastEthernet1        
  ip access-list 123    <--- bit you're looking for
[...snip}
router#conf t           <--- enter configuration mode
router(configure)#int FastEthernet1
router(configure int)#no ip access-list 123     <--- the line to remove with "no" infront of it
router(configure int)#exit
router#

something along those lines. if you're stuck paste the whole output of sh run here.
ios is lovely... embrace it!

btw if you're using console access under widows i *really* recommend using tuTTY (a puTTY fork) for serial port console access, much better than hypertrm.

scowles · 09-15-2006, 08:13 PM

Based on your post, it sounds like you accidentally added a rule to an existing ACL attached to an interface, but since you are using SDM, there are a couple of other ways it might add a command to block http/s access

Code:

no ip http server
no ip http secure-server

-or-

Code:

access-list 10 remark ACL for Access to local http server
access-list 10 permit 192.168.9.0 0.0.0.255
access-list 10 permit 192.168.16.8 0.0.0.7
access-list 10 permit 192.168.32.8 0.0.0.7
access-list 10 deny   any log

ip http server
ip http access-class 10
ip http authentication local
ip http secure-server

If your network or host address is not listed in ACL 10, then http/s access would not be permitted.

metallica1973 · 09-16-2006, 09:51 AM

Gentlemen,

many thanks. I was able to finally setup everything up. A true learning experience.