buckstaff
asked on
How to Modify access-list on Cisco Pix 501
I know how to logon to our Cisco Pix 501, but I need to know how to modify some access lists. Could someone please tell me how to modify the following types of lines in our Cisco config?
static (inside,outside) xxx.xxx.xxx.xxx 10.0.0.4 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq smtp
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
Thanks
static (inside,outside) xxx.xxx.xxx.xxx 10.0.0.4 netmask 255.255.255.255 0 0
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq smtp
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
really, it's that easy? Sweet.
So do I have to do a "wr mem" in between those??
So do I have to do a "wr mem" in between those??
Can do it after you are all done, you will need to get into config mode first which is simply:
conf t
no static (inside,outside) xxx.xxx.xxx.xxx 10.0.0.4 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.0.0.4 netmask 255.255.255.255 0 0
no access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list inbound permit tcp any host 1.2.3.4 eq smtp
no ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address outside 1.2.3.4 255.255.255.248
exit
wr mem
And your done
conf t
no static (inside,outside) xxx.xxx.xxx.xxx 10.0.0.4 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.0.0.4 netmask 255.255.255.255 0 0
no access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list inbound permit tcp any host 1.2.3.4 eq smtp
no ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address outside 1.2.3.4 255.255.255.248
exit
wr mem
And your done
The reason for not having to wr mem after each is that the running config is loaded from the startup config when you make changes to the running config which is what this will do you have to use a wr mem when you are all done so that when the machine reboots it can load the new config. One thing you can do also if you are able to test is do all of the commands, do not do a wr mem, test it and if it doesn't work just reboot it and you will have the old config back.
And one more thing like for the ip address outside you may not need the no statement first sometimes just issuing the new statement will replace it, but it never hurts to issue the no first.
ASKER
do I have to do a "copy run start" as well?
No, copy run start and wr mem are the same. They are moving away from the wr mem command if I remember correct but until it tells me that it is in invalid I will use it. They perform the same action writing the running config to flash.
no static (inside,outside) xxx.xxx.xxx.xxx 10.0.0.4 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.0.0.4 netmask 255.255.255.255 0 0
no access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list inbound permit tcp any host 1.2.3.4 eq smtp
no ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address outside 1.2.3.4 255.255.255.248