Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding a single line to an existing named access list

If a named access list already exists can I add an additional line to it without over writing the entire access list?

Paul

3 REPLIES
New Member

Re: Adding a single line to an existing named access list

You can use PDM to insert the new rule into any location you wish.

If you want to do it via the CLI, then this is how I suggest.

If you have an access-list called permitout and you issue the following:

access-list permitout tcp any any eq tftp

The new rule will be put at the bottom of the access list. To insert it where you want via the command line, do this:

1) Copy your config to a text file.

2) From your text file copy all the rules associated with the access-list to a separate text file.

3) Insert the rule into the access-list where you want it.

4) On the firewall, issue the no access-list

5) From the text file that has your access-list with the new entry, copy all the text and paste it to the command line of the firewall.

6) issue the command access-group in interface

This will disrupt traffic for a few seconds, so do it after hours. The easiest less disruptive way is via the PDM.

If anyone else has other ways of inserting them into specific locations via the CLI, I’d love to hear them.

New Member

Re: Adding a single line to an existing named access list

Depending on the Version of your PIX IOS if you type the command "show access-list " you will see the access-list along with numbers in each line....

for example in my firewall,

pix# sh access-list ACL_TEST

access-list ACL_TEST; 6 elements

access-list ACL_TEST line 1 permit icmp any any echo (hitcnt=0)

access-list ACL_TEST line 2 permit icmp any any echo-reply (hitcnt=166894)

access-list ACL_TEST line 3 permit icmp any any time-exceeded (hitcnt=0)

access-list ACL_TEST line 4 permit icmp any any unreachable (hitcnt=177)

access-list ACL_TEST line 6 deny ip any any log 6 interval 300 (hitcnt=336)

so depending on which line I want to add something "above" it, I type my ACL with a number.

To be more specific, suppose I wanted to permit ftp from any to any and wanted to add it, before the last line, I would typed

"access-list ACL_TEST line 6 permit tcp any any eq ftp"

New Member

Re: Adding a single line to an existing named access list

Sweet!!

Thanks to both.

Paul

348
Views
10
Helpful
3
Replies