Solved: PIX 525 - adding a line to existing access list

tgurney · ‎10-03-2007

Been a while since I had to config a pix. When and access-list exists and is attached to an interface with the access-group command, what are the rules for adding a line to the list? Can I just add a line - where in the list does it end up? There is no deny all explicitly configured in the access-list.

Jon Marshall · ‎10-03-2007

Hi

On pix v6.x you can delete an individual line within the access-list and it won't delete the access-list.

Jon

View solution in original post

Jon Marshall · ‎10-03-2007

Hi

you don't say which version of software on Pix but assuming v6.x onwards.

Do a "sh access-list name_of_access-list"

When you view the output it will have line numbers included. So to insert a rule to allow icmp from any to any at line 2 of your access-list

access-list name_of_access-list line 2 permit icmp any any

HTH

Jon

tgurney · ‎10-03-2007

And if there is already a line 2 it slides all the other rules down one?

Jon Marshall · ‎10-03-2007

Yes, exactly.

flopez · ‎10-03-2007

The rules are: add a line OK. Delete a line = bad. It will wipe out your ACL and remove the access-group from the interface.

Copy your existing ACL into a text editor and add the additional line just to be safe. it is okay to copy everything back, it won't affect anything this way. And there is a Deny all at the end but you may not see it.

Jon Marshall · ‎10-03-2007

Hi

On pix v6.x you can delete an individual line within the access-list and it won't delete the access-list.

Jon