Applying changes too the access list in a pix 535 with failover.

Posted on 2004-08-20
Last Modified: 2013-11-16
Hey smart people,

When making changes to a pix 535 w/failover how does one go about making the rules active?  I telnet in, make changes (both allow and Deny) to the access-list bound to the inside interface however what I do through telnet never seems to take effect.  Also because the line commands aren't in the config...the only way for me to move items up in the access-list is through the GUI.  

Does the location of the rule in the ACL make a difference?

What does one do to make the rule active?

I have tried even blocking things such as and no matter what I do it doesn't seem to work unless I do it in the GUI even though the command line returns no errors and I "write mem", "write stand", even tried taking the ACL off the interface and put it back on.  Please help.

Thank you,

Question by:sunnyd24
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 11855685
>Does the location of the rule in the ACL make a difference?
Absolutely! It is processed top-down sequentially until a match is found.

>What does one do to make the rule active?
Re-apply the rule to the interface as in:
access-group <acl name> in interface outside

>it doesn't seem to work unless I do it in the GUI
>even tried taking the ACL off the interface and put it back on

What version PIX OS? What version PDM GUI?

LVL 15

Expert Comment

ID: 11857329
1- the ACLS, for an interface, runs from the top one to the bottom, if a rule is valid for an action, it will stop processing the other acls.
2- If you want to move an acl in the list.. (switch it'S position) by using telnet, you got to copy all the acl, copy, paste in notepad, and change the order there by 1st
removing everything that is going to be after the acl entry, and pasting it back after.

no Access_list acl_lan deny ip any any
access_list acl_lan permit tcp 192.168.1.x any eq 80
access_list acl_lan deny ip any any

This will 1 Remote 1st entry. 2 Put second entry at the end of the acl and 3, put the deny ip any any entry after the previous one.

After doing this, the ACL will be active immediatly.

After doing all the changes, type "write mem"

Author Comment

ID: 11870655
Thanks to you both for the info.  I am using Pix 6.3(3) and 3.1 PDM.  The config I am looking at for my company's firewall is really badly organized.  Printed out it was 91 pages long.  I have since used group objects and got it down to 26.  I am still kind of shaky when it comes to writing these rules.  Is there a good resource other than the "Cisco Secure Pix Firewalls" book on writing the firewall rules?  Maybe a Dummies book or something with examples?

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now