Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to edit Pix ACL

Status
Not open for further replies.
pirateclem

pirateclem

Technical User
Feb 4, 2005
68
US
I am running PIX 6.3(3) on a 515 failover bundle. I am used to editing ACL's on routers but this seems a bit different. In using an extended dynamic ACL I am used to line numbering 10-20-30 etc... so if I wanted to remove a line I could type:
no access-list inbound 10

and line 10 would be gone. If I wanted to insert a line I could put

access-list inbound 15 tcp any any eq domain

and this would slip in the middle of 10 and 20.

My pix however, when I do a:

sh access-list dmz

gives me a numbered list with line numbers 1,2,3 etc.

So, what can I do to remove single lines from my PIX acl or insert single lines?

Need help quick so I can get this done today. Thanks.
 
Sort by date Sort by votes
to remove the line just copy and paste it in with 'no' at the front
 
Upvote 0 Downvote
Sean, thanks for the advice. To anyone else, I got it figured out today. Simple but different from a router a bit. I can't belive that after scouring the web and cisco's site I could find nothing about editing ACL's on a PIX. Lots of stuff on making new ACL's but not editing an existing one. The most annoying thing was calling TAC, getting a call right back (yeah, not that important but I really needed to do it today) but I could not understand a word the engineer said. I have no problem against anyone from other countries but if I am paying for TAC support please give me someone I can talk to. I finally just terminaled to the firewall and figured it out hacking at it. For anyone else that needs assitance with this:


#sh access-list NAME

//will list acl with line numbers

//after listing modify

#conf t
#(conf)no access-list dmz line 40 deny ip any any

//this will remove line 40 the lines below that will move
//up in the numbered order after you ^Z
//while editing you can keep adding or removing lines
//based upon the numbers seen above and their
//respective positions

#(conf)access-list dmz line 10 permit ip any any

//this will place the above line at line 10 and renumbers
//line 10 to line 11 and all following
//lines increment by 1

//when done making changes and all is copacetic

#wr mem

//will wr the current RAM configuration to boot Flash RAM
 
Upvote 0 Downvote
You'll get a survey via e-mail from TAC to rate your support experience -- just give the tech extremely low marks. You may very well get a call back from a manager to find out what the problem was.

Cisco seems to take those things pretty seriously...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
314
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
215
tklamb
tklamb
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
811
Johnkite
Johnkite
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
261
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top