• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

PIX 525 now allowing access line deletion

I am on a pix firewall 525 IOS PIX Version 6.3(4).  I am trying to
1) remove this line "access-list PERMIT_OUTWARD deny udp any any"  by typing this command "no access-list PERMIT_OUTWARD deny udp any any" in config mode.   The system keeps returning me to a help screen and says "INVALID PROTOCOL UPD"

What am i missing

How would I then ALLOW out bound udp traffic thru port 500 and deny the balance.  I am going to give this access listline numbers 170.
  • 3
  • 3
2 Solutions
You need to do 'no access-list PERMIT_OUTWARD' and then paste back in the original access-list minus the lines you dont want. You will also need to reapply the corresponding access-group command aswell.

To only permit udp destined to port 500 and deny all other udp you would use :-
access-list PERMIT_OUTWARD permit udp any any eq 500
access-list PERMIT_OUTWARD deny udp any any
Your other option is to delete the access-list entry by its line number

From priv mode -
sh access-list PERMIT_OUTWARD

The PIX will list the acl entries in this access-list by their corresponding line number - find the line you wish to remove and get rid of it.

conf t
no access-list PERMIT_OUTWARD line 14  deny udp any any
wri mem

gordonmannAuthor Commented:
I also need IPSec enabled on that same port
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

In what way do you need IPSEC enabled?
gordonmannAuthor Commented:
VPn with shared key to connect via a software client.
gordonmannAuthor Commented:
Here is the IPSEC info given to me

IPSEC Gateway IP:
Group Name: Clt96
Pre Shared key: A5+A5=a10#clt96#site
Encryption: 3DES
Authentication: SHA
DH Group: 2

Any help would be appreciated as I recently inherited this responsibility with 0  training.
ok. Can you post your current configuration.

I will also need to IP address range used at the other site you are connecting to.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now