Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding access-list entries

Again, Pix 506 5.2(6):

To this point I will need to manually enter my DENY access-list statements on my 506 as we do not currently utilize any type of IDS.

In my initial config, I had 1 DENY rule, followed by 5 PERMIT rules and then of course bound to the access-group.

If I need to add a new IP to block, do I really need to completely blow away my pix config and reconfig to add a new DENY rule?

Or since I have a deny rule (first on the list, of course)already in place, will the PIX automatically add it to the beginning of the rules with my other DENY rule(s).


Re: Adding access-list entries

Unfortunately, in the version you are running, you will need to blow away your existing ACL and add it back (with the new deny rule before the more general permit).

It sounds like you should seriously consider upgrading to the latest 6.3 image. There you can use the 'line numbering' feature in the ACLs whereby you can add a new ACE in anywhere you want in the ACL just by specifying the line number.

More info here:



New Member

Re: Adding access-list entries

I would love to, unfortunately this was a preowned appliance we purchased and we do not have a CCO Service Contract.

We also purchased a 2924XL managed switch at the time and were able to upgrade that software image with no problem to the current WC17...As you know the PIX images are harder to come by.

My gratitude for your reply!


Re: Adding access-list entries

Without a contract, you could always purchase the software upgrade. Cisco has a part number for that.

Just another thought :-)