11-15-2003 09:06 AM - edited 02-20-2020 09:23 PM
If a named access list already exists can I add an additional line to it without over writing the entire access list?
Paul
11-15-2003 10:03 AM
You can use PDM to insert the new rule into any location you wish.
If you want to do it via the CLI, then this is how I suggest.
If you have an access-list called permitout and you issue the following:
access-list permitout tcp any any eq tftp
The new rule will be put at the bottom of the access list. To insert it where you want via the command line, do this:
1) Copy your config to a text file.
2) From your text file copy all the rules associated with the access-list to a separate text file.
3) Insert the rule into the access-list where you want it.
4) On the firewall, issue the no access-list
5) From the text file that has your access-list with the new entry, copy all the text and paste it to the command line of the firewall.
6) issue the command access-group
This will disrupt traffic for a few seconds, so do it after hours. The easiest less disruptive way is via the PDM.
If anyone else has other ways of inserting them into specific locations via the CLI, Id love to hear them.
11-15-2003 12:18 PM
Depending on the Version of your PIX IOS if you type the command "show access-list
for example in my firewall,
pix# sh access-list ACL_TEST
access-list ACL_TEST; 6 elements
access-list ACL_TEST line 1 permit icmp any any echo (hitcnt=0)
access-list ACL_TEST line 2 permit icmp any any echo-reply (hitcnt=166894)
access-list ACL_TEST line 3 permit icmp any any time-exceeded (hitcnt=0)
access-list ACL_TEST line 4 permit icmp any any unreachable (hitcnt=177)
access-list ACL_TEST line 6 deny ip any any log 6 interval 300 (hitcnt=336)
so depending on which line I want to add something "above" it, I type my ACL with a number.
To be more specific, suppose I wanted to permit ftp from any to any and wanted to add it, before the last line, I would typed
"access-list ACL_TEST line 6 permit tcp any any eq ftp"
11-15-2003 12:42 PM
Sweet!!
Thanks to both.
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide