Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Applying changes too the access list in a pix 535 with failover.

Posted on 2004-08-20
3
Medium Priority
?
258 Views
Last Modified: 2013-11-16
Hey smart people,

When making changes to a pix 535 w/failover how does one go about making the rules active?  I telnet in, make changes (both allow and Deny) to the access-list bound to the inside interface however what I do through telnet never seems to take effect.  Also because the line commands aren't in the config...the only way for me to move items up in the access-list is through the GUI.  

Does the location of the rule in the ACL make a difference?

What does one do to make the rule active?

I have tried even blocking things such as MSN.com and no matter what I do it doesn't seem to work unless I do it in the GUI even though the command line returns no errors and I "write mem", "write stand", even tried taking the ACL off the interface and put it back on.  Please help.

Thank you,

Sunny
0
Comment
Question by:sunnyd24
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 11855685
>Does the location of the rule in the ACL make a difference?
Absolutely! It is processed top-down sequentially until a match is found.

>What does one do to make the rule active?
Re-apply the rule to the interface as in:
access-group <acl name> in interface outside

>it doesn't seem to work unless I do it in the GUI
>even tried taking the ACL off the interface and put it back on

What version PIX OS? What version PDM GUI?

0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11857329
1- the ACLS, for an interface, runs from the top one to the bottom, if a rule is valid for an action, it will stop processing the other acls.
2- If you want to move an acl in the list.. (switch it'S position) by using telnet, you got to copy all the acl, copy, paste in notepad, and change the order there by 1st
removing everything that is going to be after the acl entry, and pasting it back after.

Ex:
no Access_list acl_lan deny ip any any
access_list acl_lan permit tcp 192.168.1.x 255.255.255.0 any eq 80
access_list acl_lan deny ip any any

This will 1 Remote 1st entry. 2 Put second entry at the end of the acl and 3, put the deny ip any any entry after the previous one.

After doing this, the ACL will be active immediatly.

After doing all the changes, type "write mem"
0
 

Author Comment

by:sunnyd24
ID: 11870655
Thanks to you both for the info.  I am using Pix 6.3(3) and 3.1 PDM.  The config I am looking at for my company's firewall is really badly organized.  Printed out it was 91 pages long.  I have since used group objects and got it down to 26.  I am still kind of shaky when it comes to writing these rules.  Is there a good resource other than the "Cisco Secure Pix Firewalls" book on writing the firewall rules?  Maybe a Dummies book or something with examples?
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question