cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
457
Views
10
Helpful
2
Replies

Editing existing ACL's

Hello All,

Given an existing list of ACL's on a PIX515 on 6.3 I need to make additional changes. If I begin to add to the already existing ACL's will this erase the existing ACL?

If I want to create a new ACL will this affect the already existing ACL's?

Thanks for your suggestions.

Keith

2 Replies 2

Patrick Laidlaw
Level 4
Level 4

Keith,

If you have an existing ACL you will be able to continue to add lines to it without a problem. Now I can't remember if 6.3.x but I know int 6.3.4 you can insert lines anywhere into the ACL.

Example:

sh access-list 100

OUTPUT:

access-list 100 line 1 permit tcp any any eq www

access-list 100 line 2 permit tcp any any eq ftp

access-list 100 line 3 deny ip any any

Lets say I would like to insert a line for telnet before the web traffic without haveing to paste the entire acl. I would simply type in the following line.

access-list 100 line 1 permit tcp any any eq telnet

My new acl would look like this:

sh access-list 100

access-list 100 line 1 permit tcp any any eq telnet

access-list 100 line 2 permit tcp any any eq www

access-list 100 line 3 permit tcp any any eq ftp

access-list 100 line 4 deny ip any any

Now lets say I need to get rid of the ftp I would type in the following.

no access-list 100 line 3 permit tcp any any eq ftp

MY acl now looks like this:

sh access-list

access-list 100 line 1 permit tcp any any eq telnet

access-list 100 line 2 permit tcp any any eq www

access-list 100 line 3 deny ip any any

Patrick Laidlaw

Please rate any posts that were helpful.

You can add other access-list lines without any problem just take care that there is no < deny ip any any > et the end.

If you remove all access-list lines then the access-group will also be removed and you have to readd that command to apply the access-list on an interface.

Examples:

show access-list 100

# access-list 100 line 1 permit tcp any any eq telnet

# access-list 100 line 2 permit tcp any any eq www

# access-list 100 line 3 permit tcp any any eq ftp

# access-list 100 line 4 deny ip any any

no access-list 100 line 4 deny ip any any

show access-list 100

# access-list 100 line 1 permit tcp any any eq telnet

# access-list 100 line 2 permit tcp any any eq www

# access-list 100 line 3 permit tcp any any eq ftp

access-list 100 line 2 permit tcp any any eq smtp

access-list 100 deny ip any any

show access-list 100

# access-list 100 line 1 permit tcp any any eq telnet

# access-list 100 line 2 permit tcp any any eq smtp

# access-list 100 line 3 permit tcp any any eq www

# access-list 100 line 4 permit tcp any any eq ftp

# access-list 100 line 5 deny ip any any

show access-group

wr mem

See also:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

sincerely

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: