cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
801
Views
7
Helpful
4
Replies

ACL modification

grissonwang
Level 1
Level 1

Do I have to remove the access-group on the interface first before I modify the access-list element. what would happen if not?

2 Accepted Solutions

Accepted Solutions

thult
Level 1
Level 1

As long as you do not remove the entire access-list you do not have to remove the access-group.

View solution in original post

I do not completely agree.

If modifying an access-list that affects your own connection to the Pix i agree with you that it is best to change to a temporary access-list, but in other cases it is quite safe to alter an active access-list.

From version 6.3 you have the possibility to alter a single line with the command "access-list acl-id line"

Also, it is possible to remove a simgle line in the access-list if you specify the whole line in the "no access-list" command.

//Tomas

View solution in original post

4 Replies 4

spremkumar
Level 9
Level 9

Hi

I would suggest to remove the access-group first from the interface before removing the access-list or by default all the traffic will be blocked.

If its applied on the WAN interface through which you are logged in then u will get disconnected the same thing will happen if its applied on a ethernet interface and if ur logged in from the local lan..

regds

thult
Level 1
Level 1

As long as you do not remove the entire access-list you do not have to remove the access-group.

True.

However, best practice is to not modify the running access-list configuration of an applied access-group unless you absolutely have to.

1) remove access-group (or apply new 'temporary' access group)

2) modify access-list

3) apply access-group (or change back to original access-list)

--Jason

I do not completely agree.

If modifying an access-list that affects your own connection to the Pix i agree with you that it is best to change to a temporary access-list, but in other cases it is quite safe to alter an active access-list.

From version 6.3 you have the possibility to alter a single line with the command "access-list acl-id line"

Also, it is possible to remove a simgle line in the access-list if you specify the whole line in the "no access-list" command.

//Tomas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: