10-03-2007 05:50 AM - edited 03-11-2019 04:19 AM
Been a while since I had to config a pix. When and access-list exists and is attached to an interface with the access-group command, what are the rules for adding a line to the list? Can I just add a line - where in the list does it end up? There is no deny all explicitly configured in the access-list.
Solved! Go to Solution.
10-03-2007 10:39 AM
Hi
On pix v6.x you can delete an individual line within the access-list and it won't delete the access-list.
Jon
10-03-2007 06:02 AM
Hi
you don't say which version of software on Pix but assuming v6.x onwards.
Do a "sh access-list name_of_access-list"
When you view the output it will have line numbers included. So to insert a rule to allow icmp from any to any at line 2 of your access-list
access-list name_of_access-list line 2 permit icmp any any
HTH
Jon
10-03-2007 10:31 AM
And if there is already a line 2 it slides all the other rules down one?
10-03-2007 10:39 AM
Yes, exactly.
10-03-2007 08:08 AM
The rules are: add a line OK. Delete a line = bad. It will wipe out your ACL and remove the access-group from the interface.
Copy your existing ACL into a text editor and add the additional line just to be safe. it is okay to copy everything back, it won't affect anything this way. And there is a Deny all at the end but you may not see it.
10-03-2007 10:39 AM
Hi
On pix v6.x you can delete an individual line within the access-list and it won't delete the access-list.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: