Cannot delete ACL statement at the end

p1xels

Hi
Can anoyone please tell me how to deny DNS service?
And also if the ACL name is case-sensitive?
I created a named extended ACL called SerialACLOut but when I tried to edit the ACL I deliberately changed the uppercase of some letters in the ACL like these- serialaclout or SerialACLout with just the 'o' in small case unlike the original ACL name.
But then when I tried to delete a line ,I couldn't delete it. Further ,I added a line which got placed in the last with the same sequence number of 10 ,but the sequence number was already there assigned to some other line !
I tried deleting it but couldn't .
Please tell me why?

Thanks & Regards

theodoxa

access-list 100 deny udp any any eq 53
access-list 100 deny tcp any any eq 53
access-list 100 permit any any

or

ip access-list extended MyACL
deny udp any any eq 53
deny tcp any any eq 53
permit any any

DNS uses UDP 53 for Name Resolution and TCP 53 for Zone Transfers.

Vask3n

Also, if you feel you might have made extra lists, you can issue show access-list to see which access lists exist on the device.

p1xels

The above shows the output from "show access-lists" and as you can see there are 2 duplicate ACLs created apart from the original SerialACLOut . Now however I try I can't delete the last 2 ACLs at the bottom of the above output ,ultimately I deleted the original ACL but still l failed to delete this bottom two ACLs.
Strangely, as you can see I had 2 sequence numbers of 10 in the 2 ACLs! How 2 lines have same sequence number?
I actually managed to delete the 1st line in 1st ACL so seq 10 of top ACL is not showing but below in last line you can see another ACL with same seq no. of 10!! lol
How is that possible ? It is by mistake that I created 2 ACLs and they both started with Seq no 10. Now whenever I tried to delete by " no 10" command none was getting deleted . So I correctly typed the correct ACL name in same case and managed to delete the 1st line of top ACL!! Hope you all get me.
Please advice why this anomaly and how to delete the last 2 ACLs and their respective statements without deleting the original one??
2ndly,regarding blocking DNS service I found these commands from Cisco's website -

access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any

I think they also block the DNS service? Then which one of the above do we use? Or do we use port 53 only?
I am really confused now.

Regards

networker050184

What command are you using to try and delete it? These are three different ACLs here so that is why you can have the same sequence number in each. Not sure what you are not understanding honestly.

p1xels

I tried at the config mode this command -
R1(config)#no ip access-list extended SerialACLout (I changed the cases in the name of ACL in diff ways but nothing happened!)

VinnyCisco

Can you post a copy of your config showing the access lists as they were entered so we can gain more of an understanding of what is going on?

Also... a good trick I always use is to display the config on screen, and then copy the actual statements. Then paste them in and use CTRL-A to get to the beginning of the line and type no in front of them. And remember to use the copy run start after the corrections are made.

networker050184

That should get rid of it for you. Is this real IOS or a simulator?

VinnyCisco

networker050184 wrote: »

That should get rid of it for you. Is this real IOS or a simulator?

I was just about to edit my last post and ask this same question..... The screenshot sorta looks like a sim unless white on black is the new fad.

networker050184

Most people use white on black that I know.

ande0255

Also to delete individual lines, you want to drop into the access-list configuration sub-menu and put a no in front of the particular line number, similar to adding one by putting "line 15 permit ......."

My main point is, don't do "no (accesslistname) line 10" to delete a line, or you will be hurting if it is production

VinnyCisco

networker050184 wrote: »

Most people use white on black that I know.

I use that old unix orange color. Only thing good on the eyes for me.

theodoxa

p1xels wrote: »

2ndly,regarding blocking DNS service I found these commands from Cisco's website -

access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any

I think they also block the DNS service? Then which one of the above do we use? Or do we use port 53 only?
I am really confused now.

Regards

They permit DNS Traffic. Cisco created names you can use in place of the port number for some of the more common services (DNS, Web, etc...) Just change the permit to deny to block DNS. My ACL blocked traffic to TCP/UDP Port 53 (DNS Lookup and DNS Zone Transfer). This ACL blocks traffic in both directions, though there really shouldn't be any unsolicited DNS responses coming from a DNS Server.