Applying changes too the access list in a pix 535 with failover.

Posted on 2004-08-20
Last Modified: 2013-11-16
Hey smart people,

When making changes to a pix 535 w/failover how does one go about making the rules active?  I telnet in, make changes (both allow and Deny) to the access-list bound to the inside interface however what I do through telnet never seems to take effect.  Also because the line commands aren't in the config...the only way for me to move items up in the access-list is through the GUI.  

Does the location of the rule in the ACL make a difference?

What does one do to make the rule active?

I have tried even blocking things such as and no matter what I do it doesn't seem to work unless I do it in the GUI even though the command line returns no errors and I "write mem", "write stand", even tried taking the ACL off the interface and put it back on.  Please help.

Thank you,

Question by:sunnyd24
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 11855685
>Does the location of the rule in the ACL make a difference?
Absolutely! It is processed top-down sequentially until a match is found.

>What does one do to make the rule active?
Re-apply the rule to the interface as in:
access-group <acl name> in interface outside

>it doesn't seem to work unless I do it in the GUI
>even tried taking the ACL off the interface and put it back on

What version PIX OS? What version PDM GUI?

LVL 15

Expert Comment

ID: 11857329
1- the ACLS, for an interface, runs from the top one to the bottom, if a rule is valid for an action, it will stop processing the other acls.
2- If you want to move an acl in the list.. (switch it'S position) by using telnet, you got to copy all the acl, copy, paste in notepad, and change the order there by 1st
removing everything that is going to be after the acl entry, and pasting it back after.

no Access_list acl_lan deny ip any any
access_list acl_lan permit tcp 192.168.1.x any eq 80
access_list acl_lan deny ip any any

This will 1 Remote 1st entry. 2 Put second entry at the end of the acl and 3, put the deny ip any any entry after the previous one.

After doing this, the ACL will be active immediatly.

After doing all the changes, type "write mem"

Author Comment

ID: 11870655
Thanks to you both for the info.  I am using Pix 6.3(3) and 3.1 PDM.  The config I am looking at for my company's firewall is really badly organized.  Printed out it was 91 pages long.  I have since used group objects and got it down to 26.  I am still kind of shaky when it comes to writing these rules.  Is there a good resource other than the "Cisco Secure Pix Firewalls" book on writing the firewall rules?  Maybe a Dummies book or something with examples?

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question