Solved: Need PIX 501 access-list change help

miked_187 · ‎08-13-2013

I need to change:

access-list <name> permit ip host 192.168.1.2 192.168.50.0 255.255.255.0

to

access-list <name> permit ip host 192.168.1.8 192.168.50.0 255.255.255.0

Wondering if someone could give me the command syntax or steps to get this done, even a pointer to a webpage showing just how to do this would be great. The manual just isn't cutting it for me for whatever reason, and nothing specifically on how to do this shows up in a google search. Never worked with a PIX before, totally different beast.

Thanks in advance

Jouni Forss · ‎08-14-2013

Hi,

Ok, here is what you could do

Use the following commands to view on what line of the ACL the current rule is

show access-list

or

show access-list | inc 192.168.1.2

Now check the line number of the old rule

Then use the current line number in the below command

access-list line permit ip host 192.168.1.8 192.168.50.0 255.255.255.0

After this you can simply check that the new rule is getting hits. Test the connection and use the command

show access-list | inc line

Then you can simply remove the old rule with the below command

no access-list permit ip host 192.168.1.2 192.168.50.0 255.255.255.0

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if this didnt solve your problem.

- Jouni

View solution in original post

Jouni Forss · ‎08-14-2013

Hi,

Ok, here is what you could do

Use the following commands to view on what line of the ACL the current rule is

show access-list

or

show access-list | inc 192.168.1.2

Now check the line number of the old rule

Then use the current line number in the below command

access-list line permit ip host 192.168.1.8 192.168.50.0 255.255.255.0

After this you can simply check that the new rule is getting hits. Test the connection and use the command

show access-list | inc line

Then you can simply remove the old rule with the below command

no access-list permit ip host 192.168.1.2 192.168.50.0 255.255.255.0

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if this didnt solve your problem.

- Jouni

miked_187 · ‎08-14-2013

Thanks for the detailed reply Jouni, I'm off to do this now - is there a save/commit action that I need in order to make the changes stick?

Jouni Forss · ‎08-14-2013

Hi,

The command to save the configuration is

write memory

I've gotten used to writing it as

wr mem

What is your PIX firewall software level?

You can check that from the output of the command

show version

- Jouni

miked_187 · ‎08-14-2013

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

Jouni Forss · ‎08-14-2013

Hi,

Wrong configuration mode.

You need to enter

configure terminal

or shorter with

conf t

Then you should be at

pixfirewall(config)#

In this mode you change settings

In the mode you were is mostly mean for viewing settings

You're software level is pretty old and the device you are using is already a very old device that is not sold anymore. So your software also has some different CLI behaviour compared to the new software levels.

- Jouni

miked_187 · ‎08-14-2013

wonky stuff

I'm logged into the PIX via the console cable and putty.

I see the $ prompt, respond with 'en' and the password, get to the # prompt. All is well so far.

when I enter:

access-list line 1 permit ip host 192.168.1.8 192.168.50

at that point the command I'm entering seems to slide to the L into the cursor to the point of 'permit ...' and I get a $ prompt again - I see the following:

pixfirewall# $ permit ip host 192.168.1.8 192.168.50.0 255.255.255.0

and I enter in the remaining part of the command: .0 255.255.255.0 and then hit enter. I get back:

pixfirewall# access-list line 1 permit ip host 192.168.1.8 192.168.50$

Type help or '?' for a list of available commands.

I've tried changing the putty window width but no luck. The docs say "PIX Firewall permits up to 512 characters in a command" and I'm well under that - Suggestions?

miked_187 · ‎08-14-2013

Ok, thats got it I think. Popped out of configure mode and did another show access-list and things look right.

Thanks so much for your help, very appreciated

Jouni Forss · ‎08-14-2013

Hi,

Good to hear.

Please do remember to mark a reply as the correct answer if it answered your question

- Jouni

miked_187 · ‎08-14-2013

done