https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393670#M551636 <P>What is the best way and recommended way to create an ACL to deny incoming traffic from certain internet hosts? (Spammers, Malwares, etc)</P><P></P><P>Create a network-group and add their IPs to that group one at a time. Deny this group from the outside interface?</P><P></P><P>Any pointer is appreciated. By the way, how do you guys create/modify acl entries when there are entries in the acl already and you want to put the new line at the top or in the middle or something. Is using a telnet client with cut and paste functionality the only way?</P><P></P><P>Thanks, Eric</P><P></P><P></P><P></P><P></P><P></P> Fri, 21 Feb 2020 07:55:53 GMT ewong0088 2020-02-21T07:55:53Z https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393670#M551636 <P>What is the best way and recommended way to create an ACL to deny incoming traffic from certain internet hosts? (Spammers, Malwares, etc)</P><P></P><P>Create a network-group and add their IPs to that group one at a time. Deny this group from the outside interface?</P><P></P><P>Any pointer is appreciated. By the way, how do you guys create/modify acl entries when there are entries in the acl already and you want to put the new line at the top or in the middle or something. Is using a telnet client with cut and paste functionality the only way?</P><P></P><P>Thanks, Eric</P><P></P><P></P><P></P><P></P><P></P> Fri, 21 Feb 2020 07:55:53 GMT https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393670#M551636 ewong0088 2020-02-21T07:55:53Z https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393671#M551637 <HTML><HEAD></HEAD><BODY><P>Eric,</P><P></P><P>I would go with Object-grouping method, on you question for ACL editing, I write my ACLs on notepad editor and then cut/paste back onto the firewall. This way any mistakes can be rectified before going live!</P><P></P><P>Hope this helps.</P><P></P><P>Jay</P></BODY></HTML> Thu, 10 Feb 2005 12:58:18 GMT https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393671#M551637 jmia 2005-02-10T12:58:18Z https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393672#M551638 <HTML><HEAD></HEAD><BODY><P>AFAIK, there isn't any direct possibility how to edit entries/lines in ACLs. There are not line numbers or something similar. So if you made a mistake you have to start it all over.</P><P></P><P>I tried to write ACL in editor(like notepad) and then passed it to firewall. I found that this is not possible(I didn't work for me; maybe I am not clever though ;o)</P></BODY></HTML> Thu, 10 Feb 2005 13:31:15 GMT https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393672#M551638 morbfrhtc 2005-02-10T13:31:15Z https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393673#M551641 <HTML><HEAD></HEAD><BODY><P>morbfrhtc</P><P>Sorry to have to correct you but you can edit ACL's in the manner that ewong0088 has specified.</P><P></P><P>ewong0088</P><P></P><P>Look at the example below which will hopefully clarify matters.</P><P></P><P>sh access-list inside_access_in</P><P></P><P>access-list inside_access_in line 1 permit tcp any host ukjpm001 eq tacacs (hitcnt=87378) </P><P>access-list inside_access_in line 2 permit udp any host ukjpm001 eq radius (hitcnt=1879) </P><P>access-list inside_access_in line 3 permit udp any host ukabc001 eq radius (hitcnt=1259) </P><P>access-list inside_access_in line 4 permit udp any host ukdef001 eq radius (hitcnt=18) </P><P>access-list inside_access_in line 5 permit udp any host ukdmz001 eq radius (hitcnt=122977) </P><P></P><P>no access-list inside_access_in line 3 permit udp any host ukabc001 eq radius (hitcnt=1259)</P><P></P><P>sh access-list inside_access_in</P><P></P><P>access-list inside_access_in line 1 permit tcp any host ukjpm001 eq tacacs (hitcnt=87378) </P><P>access-list inside_access_in line 2 permit udp any host ukjpm001 eq radius (hitcnt=1879) </P><P>access-list inside_access_in line 3 permit udp any host ukdef001 eq radius (hitcnt=18) </P><P>access-list inside_access_in line 4 permit udp any host ukdmz001 eq radius (hitcnt=122977) </P><P></P><P>Should you wish, you can also apply remarks at any point in the ACL, although I would recommend placing them at the top to clearly identify the ACL's role.</P><P></P><P></P><P>Steve.</P><P></P><P></P><P></P></BODY></HTML> Thu, 10 Feb 2005 13:48:17 GMT https://community.cisco.com/t5/network-security/pix-515e-acls/m-p/393673#M551641 stevep 2005-02-10T13:48:17Z