Last weekend we ran into an ACL problem on a PIX 501 (running OS 6.3(4)). A colleague of mine needed to add a rule to the ACL applied to the outside interface. He isn't used to handling a PIX, so he did what he normally does on a Cisco device, which is a "no access-list outside-acl" and then he remakes the ACL with all the previous rules in there. (He does this in 1 paste.)
On the PIX however this produced some problems. Seemingly, everything was pasted OK (read: no errors reported), but afterwards my colleague noticed problems with connectivity through the firewall. He didn't troubleshoot this further, he just reloaded the PIX which fixed the issue. He then called me to ask what to do and I had him add the rule the way I'm used to doing it, which is prepare 1 paste to: add the rule, remove the deny any any and add the deny any any (moving it back to the end). There might be better ways to do this (feel free to suggest some, thanks).
My question is now: does anybody have any idea what might have caused the connectivity issues? I am -guessing- that doing a "no access-list acl-outside" not only removed the ACL, but also removed the ACL named "acl-outside" from being applied to the outside interface. That way, after recreating the ACL, the ACL was there, but it wasn't applied on any interface.
That is just my guess though, does anyone with more PIX experience agree or disagree with this?
Thanks in advance for the feedback.
With kind regards,