PIX 525 6.3 command line changes

Unanswered Question
Apr 5th, 2007

A few questions:

When changing access-lists on a PIX from command line, can you change one line in the list, or do you have to remove the entire existing list and re-enter the changed list?

On a crypto map, say the peer changes and you need to make that change, can you change one line in the crypto map, or does the entire map need to be re-entered with this change?

Also same question for object group?

Can you add one line?

And will this affect any existing connections if it were a port objexct group?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Thu, 04/05/2007 - 09:27

Hi Rich

1) You can delete and insert individual lines on pix v 6.3 so no need to remove the entire list.

2) You can set the new peer within the crypto map without having to reenter entire map. Be aware that if you set another peer it will keep the original one unless you do a

"no set peer xxxxxx" on the original peer.

3) Yes you can add entries to object-groups. It should not affect existing connections.



srue Thu, 04/05/2007 - 09:37

after you change ipsec peers, be sure to do a "clear crypto ipsec sa" and for kicks, "clear isakmp sa"

richmorrow624 Thu, 04/05/2007 - 10:31

Thanks jon,

If I wanted to change the list shown below, to add an additional host, it will allow me to add a line to the access-list NO_NAT?

Or remove a single line?

access-list NO_NAT permit ip host host

access-list NO_NAT permit ip host host

access-list NO_NAT permit ip host host

Jon Marshall Thu, 04/05/2007 - 11:52


You should be able to remove or add line(s) to the access-list eg

access-list NO_NAT permit ip host host

will add to existing access-list NO_NAT

no access-list NO_NAT permit ip host host

will remove that line.

HTH and thanks for the rating


richmorrow624 Thu, 04/05/2007 - 14:14

Thanks for the reply, just a couple more questions:

I have a PIX525 that currently has 10 VPN tunnels configured.

9 are showing a idle and the below is not even showing up.

AM I correct in a ssuming that with this config:

1. The crypto map looks correct and will match the address allowing remote side traffic from the subnet to access the subnet via VPN tunnel?

2. The and 2 addresses are being NATed from the and addresses?

Is that correct?


This Discussion