PIX 525 - adding a line to existing access list

Answered Question
Oct 3rd, 2007
User Badges:

Been a while since I had to config a pix. When and access-list exists and is attached to an interface with the access-group command, what are the rules for adding a line to the list? Can I just add a line - where in the list does it end up? There is no deny all explicitly configured in the access-list.

Correct Answer by Jon Marshall about 9 years 6 months ago

Hi


On pix v6.x you can delete an individual line within the access-list and it won't delete the access-list.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Wed, 10/03/2007 - 06:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


you don't say which version of software on Pix but assuming v6.x onwards.


Do a "sh access-list name_of_access-list"


When you view the output it will have line numbers included. So to insert a rule to allow icmp from any to any at line 2 of your access-list


access-list name_of_access-list line 2 permit icmp any any


HTH


Jon

tgurney Wed, 10/03/2007 - 10:31
User Badges:

And if there is already a line 2 it slides all the other rules down one?

Jon Marshall Wed, 10/03/2007 - 10:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes, exactly.



The rules are: add a line OK. Delete a line = bad. It will wipe out your ACL and remove the access-group from the interface.


Copy your existing ACL into a text editor and add the additional line just to be safe. it is okay to copy everything back, it won't affect anything this way. And there is a Deny all at the end but you may not see it.

Correct Answer
Jon Marshall Wed, 10/03/2007 - 10:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


On pix v6.x you can delete an individual line within the access-list and it won't delete the access-list.


Jon

Actions

This Discussion