04-02-2007 12:21 PM - edited 03-11-2019 02:55 AM
Again, Pix 506 5.2(6):
To this point I will need to manually enter my DENY access-list statements on my 506 as we do not currently utilize any type of IDS.
In my initial config, I had 1 DENY rule, followed by 5 PERMIT rules and then of course bound to the access-group.
If I need to add a new IP to block, do I really need to completely blow away my pix config and reconfig to add a new DENY rule?
Or since I have a deny rule (first on the list, of course)already in place, will the PIX automatically add it to the beginning of the rules with my other DENY rule(s).
04-02-2007 07:14 PM
Unfortunately, in the version you are running, you will need to blow away your existing ACL and add it back (with the new deny rule before the more general permit).
It sounds like you should seriously consider upgrading to the latest 6.3 image. There you can use the 'line numbering' feature in the ACLs whereby you can add a new ACE in anywhere you want in the ACL just by specifying the line number.
More info here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1001972
Sincerely,
David.
04-02-2007 08:29 PM
I would love to, unfortunately this was a preowned appliance we purchased and we do not have a CCO Service Contract.
We also purchased a 2924XL managed switch at the time and were able to upgrade that software image with no problem to the current WC17...As you know the PIX images are harder to come by.
My gratitude for your reply!
04-03-2007 05:00 AM
Without a contract, you could always purchase the software upgrade. Cisco has a part number for that.
Just another thought :-)
David.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: