Adding access-list entries

Unanswered Question
Apr 2nd, 2007

Again, Pix 506 5.2(6):

To this point I will need to manually enter my DENY access-list statements on my 506 as we do not currently utilize any type of IDS.

In my initial config, I had 1 DENY rule, followed by 5 PERMIT rules and then of course bound to the access-group.

If I need to add a new IP to block, do I really need to completely blow away my pix config and reconfig to add a new DENY rule?

Or since I have a deny rule (first on the list, of course)already in place, will the PIX automatically add it to the beginning of the rules with my other DENY rule(s).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
David White Mon, 04/02/2007 - 19:14

Unfortunately, in the version you are running, you will need to blow away your existing ACL and add it back (with the new deny rule before the more general permit).

It sounds like you should seriously consider upgrading to the latest 6.3 image. There you can use the 'line numbering' feature in the ACLs whereby you can add a new ACE in anywhere you want in the ACL just by specifying the line number.

More info here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1001972

Sincerely,

David.

srberg5219 Mon, 04/02/2007 - 20:29

I would love to, unfortunately this was a preowned appliance we purchased and we do not have a CCO Service Contract.

We also purchased a 2924XL managed switch at the time and were able to upgrade that software image with no problem to the current WC17...As you know the PIX images are harder to come by.

My gratitude for your reply!

David White Tue, 04/03/2007 - 05:00

Without a contract, you could always purchase the software upgrade. Cisco has a part number for that.

Just another thought :-)

David.

Actions

This Discussion