Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ACLs in PIX 7 and above

Reply
Thread Tools

ACLs in PIX 7 and above

 
 
Frank Winkler
Guest
Posts: n/a
 
      10-04-2007
Hi there !

In 6.3 it was possible to remove an entire ACL with "no acl <acl>". This no
longer works in PIX 7 - one has to remove every single line. Is this a bug
or a feature, am I doing wrong anything? What about v8?

TIA

fw
 
Reply With Quote
 
 
 
 
allan16 allan16 is offline
Junior Member
Join Date: Aug 2007
Posts: 14
 
      10-04-2007
try using:

clear configure access-list acl-name

*it removes all acls under the acl-name specified
 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      10-04-2007
You can do it with

firewall(config)# clear configure access-list [acl-name]


"Frank Winkler" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi there !
>
> In 6.3 it was possible to remove an entire ACL with "no acl <acl>". This
> no longer works in PIX 7 - one has to remove every single line. Is this a
> bug or a feature, am I doing wrong anything? What about v8?
>
> TIA
>
> fw



 
Reply With Quote
 
Frank Winkler
Guest
Posts: n/a
 
      10-05-2007
mcaissie wrote:

>You can do it with
>
>firewall(config)# clear configure access-list [acl-name]


What kind of syntax is that? Never seen.
With the mentioned behavior, is it possible to delete single lines in an
ACL without having to re-create the whole list?

Regards

fw
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      10-05-2007

"Frank Winkler" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> mcaissie wrote:
>
> >You can do it with
> >
> >firewall(config)# clear configure access-list [acl-name]

>
> What kind of syntax is that? Never seen.
> With the mentioned behavior, is it possible to delete single lines in an
> ACL without having to re-create the whole list?
>
> Regards
>
> fw


You've always been able to delete individual lines on a Pix/ASA ACL, simply
use the exact syntax. i.e no access-list outside permit tcp any host 1.1.1.1
eq smtp

 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      10-05-2007

"Frank Winkler" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> mcaissie wrote:
>
> >You can do it with
> >
> >firewall(config)# clear configure access-list [acl-name]

>
> What kind of syntax is that? Never seen.


My guess is they removed the possibility to inadvertently delete
a whole access-list when managing it .


 
Reply With Quote
 
Scott Perry
Guest
Posts: n/a
 
      10-05-2007
Yes, you can either remove an entire access list or single entries from it.
You can also insert an entry into the middle of an access list.

PIX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inbound; 4 elements
access-list inbound line 1 remark * Telnet
access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh
(hitcnt=0)
access-list inbound line 3 extended permit tcp any host 10.1.1.1 eq telnet
(hitcnt=0)

PIX(config)# access-list inbound line 3 remark * SSH
PIX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inbound; 4 elements
access-list inbound line 1 remark * Telnet
access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh
(hitcnt=0)
access-list inbound line 3 remark * SSH
access-list inbound line 4 extended permit tcp any host 10.1.1.1 eq telnet
(hitcnt=0)

PIX(config)# no access-list inbound line 3 remark * SSH
PIX(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inbound; 4 elements
access-list inbound line 1 remark * Telnet
access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh
(hitcnt=0)
access-list inbound line 3 extended permit tcp any host 10.1.1.1 eq telnet
(hitcnt=0)

--

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________
"Frank Winkler" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> mcaissie wrote:
>
> >You can do it with
> >
> >firewall(config)# clear configure access-list [acl-name]

>
> What kind of syntax is that? Never seen.
> With the mentioned behavior, is it possible to delete single lines in an
> ACL without having to re-create the whole list?
>
> Regards
>
> fw



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
We are currently buying Foundy Networks - primarily NetIron MLX andXMR but are also looking for BigIron RX, ServerIron WMS7, and FastIronFESX's. If you have the above or have access to the above from a clientlooking ro recover value, please sen Network/Software Buyer Cisco 1 07-30-2010 01:25 AM
PIX ACLs for Inside/outside Nat and Crypto - All the same? Scott Townsend Cisco 4 06-07-2006 06:15 PM
Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability ovt@redcenter.ru Cisco 1 12-23-2005 06:04 PM
How to apply several ACLs on the same interface - PIX. AM Cisco 1 06-22-2005 01:43 PM
PIX 515 with statics and ACLs blocks dmz to outside access SuperIce Cisco 2 10-01-2004 05:11 PM



Advertisments