Applying changes too the access list in a pix 535 with failover.

Posted on 2004-08-20
Last Modified: 2013-11-16
Hey smart people,

When making changes to a pix 535 w/failover how does one go about making the rules active?  I telnet in, make changes (both allow and Deny) to the access-list bound to the inside interface however what I do through telnet never seems to take effect.  Also because the line commands aren't in the config...the only way for me to move items up in the access-list is through the GUI.  

Does the location of the rule in the ACL make a difference?

What does one do to make the rule active?

I have tried even blocking things such as and no matter what I do it doesn't seem to work unless I do it in the GUI even though the command line returns no errors and I "write mem", "write stand", even tried taking the ACL off the interface and put it back on.  Please help.

Thank you,

Question by:sunnyd24
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 11855685
>Does the location of the rule in the ACL make a difference?
Absolutely! It is processed top-down sequentially until a match is found.

>What does one do to make the rule active?
Re-apply the rule to the interface as in:
access-group <acl name> in interface outside

>it doesn't seem to work unless I do it in the GUI
>even tried taking the ACL off the interface and put it back on

What version PIX OS? What version PDM GUI?

LVL 15

Expert Comment

ID: 11857329
1- the ACLS, for an interface, runs from the top one to the bottom, if a rule is valid for an action, it will stop processing the other acls.
2- If you want to move an acl in the list.. (switch it'S position) by using telnet, you got to copy all the acl, copy, paste in notepad, and change the order there by 1st
removing everything that is going to be after the acl entry, and pasting it back after.

no Access_list acl_lan deny ip any any
access_list acl_lan permit tcp 192.168.1.x any eq 80
access_list acl_lan deny ip any any

This will 1 Remote 1st entry. 2 Put second entry at the end of the acl and 3, put the deny ip any any entry after the previous one.

After doing this, the ACL will be active immediatly.

After doing all the changes, type "write mem"

Author Comment

ID: 11870655
Thanks to you both for the info.  I am using Pix 6.3(3) and 3.1 PDM.  The config I am looking at for my company's firewall is really badly organized.  Printed out it was 91 pages long.  I have since used group objects and got it down to 26.  I am still kind of shaky when it comes to writing these rules.  Is there a good resource other than the "Cisco Secure Pix Firewalls" book on writing the firewall rules?  Maybe a Dummies book or something with examples?

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now