×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Editing existing ACL's

Unanswered Question
Apr 8th, 2006
User Badges:

Hello All,


Given an existing list of ACL's on a PIX515 on 6.3 I need to make additional changes. If I begin to add to the already existing ACL's will this erase the existing ACL?

If I want to create a new ACL will this affect the already existing ACL's?

Thanks for your suggestions.


Keith

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Patrick Laidlaw Sat, 04/08/2006 - 20:23
User Badges:
  • Gold, 750 points or more

Keith,


If you have an existing ACL you will be able to continue to add lines to it without a problem. Now I can't remember if 6.3.x but I know int 6.3.4 you can insert lines anywhere into the ACL.


Example:

sh access-list 100

OUTPUT:

access-list 100 line 1 permit tcp any any eq www

access-list 100 line 2 permit tcp any any eq ftp

access-list 100 line 3 deny ip any any


Lets say I would like to insert a line for telnet before the web traffic without haveing to paste the entire acl. I would simply type in the following line.


access-list 100 line 1 permit tcp any any eq telnet


My new acl would look like this:

sh access-list 100


access-list 100 line 1 permit tcp any any eq telnet

access-list 100 line 2 permit tcp any any eq www

access-list 100 line 3 permit tcp any any eq ftp

access-list 100 line 4 deny ip any any


Now lets say I need to get rid of the ftp I would type in the following.


no access-list 100 line 3 permit tcp any any eq ftp


MY acl now looks like this:

sh access-list

access-list 100 line 1 permit tcp any any eq telnet

access-list 100 line 2 permit tcp any any eq www

access-list 100 line 3 deny ip any any


Patrick Laidlaw


Please rate any posts that were helpful.

Patrick Iseli Mon, 04/10/2006 - 11:26
User Badges:
  • Gold, 750 points or more

You can add other access-list lines without any problem just take care that there is no < deny ip any any > et the end.


If you remove all access-list lines then the access-group will also be removed and you have to readd that command to apply the access-list on an interface.


Examples:


show access-list 100


# access-list 100 line 1 permit tcp any any eq telnet

# access-list 100 line 2 permit tcp any any eq www

# access-list 100 line 3 permit tcp any any eq ftp

# access-list 100 line 4 deny ip any any


no access-list 100 line 4 deny ip any any


show access-list 100


# access-list 100 line 1 permit tcp any any eq telnet

# access-list 100 line 2 permit tcp any any eq www

# access-list 100 line 3 permit tcp any any eq ftp


access-list 100 line 2 permit tcp any any eq smtp

access-list 100 deny ip any any


show access-list 100


# access-list 100 line 1 permit tcp any any eq telnet

# access-list 100 line 2 permit tcp any any eq smtp

# access-list 100 line 3 permit tcp any any eq www

# access-list 100 line 4 permit tcp any any eq ftp

# access-list 100 line 5 deny ip any any


show access-group

wr mem


See also:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755


sincerely

Patrick


Actions

This Discussion