cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
5
Helpful
3
Replies

Adding access-list entries

srberg5219
Level 1
Level 1

Again, Pix 506 5.2(6):

To this point I will need to manually enter my DENY access-list statements on my 506 as we do not currently utilize any type of IDS.

In my initial config, I had 1 DENY rule, followed by 5 PERMIT rules and then of course bound to the access-group.

If I need to add a new IP to block, do I really need to completely blow away my pix config and reconfig to add a new DENY rule?

Or since I have a deny rule (first on the list, of course)already in place, will the PIX automatically add it to the beginning of the rules with my other DENY rule(s).

3 Replies 3

David White
Cisco Employee
Cisco Employee

Unfortunately, in the version you are running, you will need to blow away your existing ACL and add it back (with the new deny rule before the more general permit).

It sounds like you should seriously consider upgrading to the latest 6.3 image. There you can use the 'line numbering' feature in the ACLs whereby you can add a new ACE in anywhere you want in the ACL just by specifying the line number.

More info here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1001972

Sincerely,

David.

I would love to, unfortunately this was a preowned appliance we purchased and we do not have a CCO Service Contract.

We also purchased a 2924XL managed switch at the time and were able to upgrade that software image with no problem to the current WC17...As you know the PIX images are harder to come by.

My gratitude for your reply!

Without a contract, you could always purchase the software upgrade. Cisco has a part number for that.

Just another thought :-)

David.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: