Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
10
Helpful
3
Replies

Adding a single line to an existing named access list

pguibord
Level 1
Level 1

‎11-15-2003 09:06 AM - edited ‎02-20-2020 09:23 PM

If a named access list already exists can I add an additional line to it without over writing the entire access list?

Paul

Labels:
0 Helpful
3 Replies 3

bfl1
Level 1
Level 1

‎11-15-2003 10:03 AM

You can use PDM to insert the new rule into any location you wish.

If you want to do it via the CLI, then this is how I suggest.

If you have an access-list called permitout and you issue the following:

access-list permitout tcp any any eq tftp

The new rule will be put at the bottom of the access list. To insert it where you want via the command line, do this:

1) Copy your config to a text file.

2) From your text file copy all the rules associated with the access-list to a separate text file.

3) Insert the rule into the access-list where you want it.

4) On the firewall, issue the no access-list

5) From the text file that has your access-list with the new entry, copy all the text and paste it to the command line of the firewall.

6) issue the command access-group in interface

This will disrupt traffic for a few seconds, so do it after hours. The easiest less disruptive way is via the PDM.

If anyone else has other ways of inserting them into specific locations via the CLI, I’d love to hear them.

pavlosd
Level 2
Level 2

‎11-15-2003 12:18 PM

Depending on the Version of your PIX IOS if you type the command "show access-list " you will see the access-list along with numbers in each line....

for example in my firewall,

pix# sh access-list ACL_TEST

access-list ACL_TEST; 6 elements

access-list ACL_TEST line 1 permit icmp any any echo (hitcnt=0)

access-list ACL_TEST line 2 permit icmp any any echo-reply (hitcnt=166894)

access-list ACL_TEST line 3 permit icmp any any time-exceeded (hitcnt=0)

access-list ACL_TEST line 4 permit icmp any any unreachable (hitcnt=177)

access-list ACL_TEST line 6 deny ip any any log 6 interval 300 (hitcnt=336)

so depending on which line I want to add something "above" it, I type my ACL with a number.

To be more specific, suppose I wanted to permit ftp from any to any and wanted to add it, before the last line, I would typed

"access-list ACL_TEST line 6 permit tcp any any eq ftp"

pguibord
Level 1
Level 1
In response to pavlosd

‎11-15-2003 12:42 PM

Sweet!!

Thanks to both.

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents