04-08-2006 03:58 PM - edited 02-20-2020 09:36 PM
Hello All,
Given an existing list of ACL's on a PIX515 on 6.3 I need to make additional changes. If I begin to add to the already existing ACL's will this erase the existing ACL?
If I want to create a new ACL will this affect the already existing ACL's?
Thanks for your suggestions.
Keith
04-08-2006 08:23 PM
Keith,
If you have an existing ACL you will be able to continue to add lines to it without a problem. Now I can't remember if 6.3.x but I know int 6.3.4 you can insert lines anywhere into the ACL.
Example:
sh access-list 100
OUTPUT:
access-list 100 line 1 permit tcp any any eq www
access-list 100 line 2 permit tcp any any eq ftp
access-list 100 line 3 deny ip any any
Lets say I would like to insert a line for telnet before the web traffic without haveing to paste the entire acl. I would simply type in the following line.
access-list 100 line 1 permit tcp any any eq telnet
My new acl would look like this:
sh access-list 100
access-list 100 line 1 permit tcp any any eq telnet
access-list 100 line 2 permit tcp any any eq www
access-list 100 line 3 permit tcp any any eq ftp
access-list 100 line 4 deny ip any any
Now lets say I need to get rid of the ftp I would type in the following.
no access-list 100 line 3 permit tcp any any eq ftp
MY acl now looks like this:
sh access-list
access-list 100 line 1 permit tcp any any eq telnet
access-list 100 line 2 permit tcp any any eq www
access-list 100 line 3 deny ip any any
Patrick Laidlaw
Please rate any posts that were helpful.
04-10-2006 11:26 AM
You can add other access-list lines without any problem just take care that there is no < deny ip any any > et the end.
If you remove all access-list lines then the access-group will also be removed and you have to readd that command to apply the access-list on an interface.
Examples:
show access-list 100
# access-list 100 line 1 permit tcp any any eq telnet
# access-list 100 line 2 permit tcp any any eq www
# access-list 100 line 3 permit tcp any any eq ftp
# access-list 100 line 4 deny ip any any
no access-list 100 line 4 deny ip any any
show access-list 100
# access-list 100 line 1 permit tcp any any eq telnet
# access-list 100 line 2 permit tcp any any eq www
# access-list 100 line 3 permit tcp any any eq ftp
access-list 100 line 2 permit tcp any any eq smtp
access-list 100 deny ip any any
show access-list 100
# access-list 100 line 1 permit tcp any any eq telnet
# access-list 100 line 2 permit tcp any any eq smtp
# access-list 100 line 3 permit tcp any any eq www
# access-list 100 line 4 permit tcp any any eq ftp
# access-list 100 line 5 deny ip any any
show access-group
wr mem
See also:
sincerely
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: