Applying changes too the access list in a pix 535 with failover.

Posted on 2004-08-20
Last Modified: 2013-11-16
Hey smart people,

When making changes to a pix 535 w/failover how does one go about making the rules active?  I telnet in, make changes (both allow and Deny) to the access-list bound to the inside interface however what I do through telnet never seems to take effect.  Also because the line commands aren't in the config...the only way for me to move items up in the access-list is through the GUI.  

Does the location of the rule in the ACL make a difference?

What does one do to make the rule active?

I have tried even blocking things such as and no matter what I do it doesn't seem to work unless I do it in the GUI even though the command line returns no errors and I "write mem", "write stand", even tried taking the ACL off the interface and put it back on.  Please help.

Thank you,

Question by:sunnyd24
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 11855685
>Does the location of the rule in the ACL make a difference?
Absolutely! It is processed top-down sequentially until a match is found.

>What does one do to make the rule active?
Re-apply the rule to the interface as in:
access-group <acl name> in interface outside

>it doesn't seem to work unless I do it in the GUI
>even tried taking the ACL off the interface and put it back on

What version PIX OS? What version PDM GUI?

LVL 15

Expert Comment

ID: 11857329
1- the ACLS, for an interface, runs from the top one to the bottom, if a rule is valid for an action, it will stop processing the other acls.
2- If you want to move an acl in the list.. (switch it'S position) by using telnet, you got to copy all the acl, copy, paste in notepad, and change the order there by 1st
removing everything that is going to be after the acl entry, and pasting it back after.

no Access_list acl_lan deny ip any any
access_list acl_lan permit tcp 192.168.1.x any eq 80
access_list acl_lan deny ip any any

This will 1 Remote 1st entry. 2 Put second entry at the end of the acl and 3, put the deny ip any any entry after the previous one.

After doing this, the ACL will be active immediatly.

After doing all the changes, type "write mem"

Author Comment

ID: 11870655
Thanks to you both for the info.  I am using Pix 6.3(3) and 3.1 PDM.  The config I am looking at for my company's firewall is really badly organized.  Printed out it was 91 pages long.  I have since used group objects and got it down to 26.  I am still kind of shaky when it comes to writing these rules.  Is there a good resource other than the "Cisco Secure Pix Firewalls" book on writing the firewall rules?  Maybe a Dummies book or something with examples?

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISP has issued 5 static IP addresses 4 56
Cisco Wireless Access Controller 3 50
Cisco 4400 will not take SFP module ? SFP 10 GB module 1 89
Cisco Nexus 9372 port channel 3 45
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question