• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

PIX 525 now allowing access line deletion

I am on a pix firewall 525 IOS PIX Version 6.3(4).  I am trying to
1) remove this line "access-list PERMIT_OUTWARD deny udp any any"  by typing this command "no access-list PERMIT_OUTWARD deny udp any any" in config mode.   The system keeps returning me to a help screen and says "INVALID PROTOCOL UPD"

What am i missing

How would I then ALLOW out bound udp traffic thru port 500 and deny the balance.  I am going to give this access listline numbers 170.
  • 3
  • 3
2 Solutions
You need to do 'no access-list PERMIT_OUTWARD' and then paste back in the original access-list minus the lines you dont want. You will also need to reapply the corresponding access-group command aswell.

To only permit udp destined to port 500 and deny all other udp you would use :-
access-list PERMIT_OUTWARD permit udp any any eq 500
access-list PERMIT_OUTWARD deny udp any any
Your other option is to delete the access-list entry by its line number

From priv mode -
sh access-list PERMIT_OUTWARD

The PIX will list the acl entries in this access-list by their corresponding line number - find the line you wish to remove and get rid of it.

conf t
no access-list PERMIT_OUTWARD line 14  deny udp any any
wri mem

gordonmannAuthor Commented:
I also need IPSec enabled on that same port
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

In what way do you need IPSEC enabled?
gordonmannAuthor Commented:
VPn with shared key to connect via a software client.
gordonmannAuthor Commented:
Here is the IPSEC info given to me

IPSEC Gateway IP:
Group Name: Clt96
Pre Shared key: A5+A5=a10#clt96#site
Encryption: 3DES
Authentication: SHA
DH Group: 2

Any help would be appreciated as I recently inherited this responsibility with 0  training.
ok. Can you post your current configuration.

I will also need to IP address range used at the other site you are connecting to.

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now