ACLs in PIX 7 and above

Discussion in 'Cisco' started by Frank Winkler, Oct 4, 2007.

  1. Hi there !

    In 6.3 it was possible to remove an entire ACL with "no acl <acl>". This no
    longer works in PIX 7 - one has to remove every single line. Is this a bug
    or a feature, am I doing wrong anything? What about v8?

    TIA

    fw
     
    Frank Winkler, Oct 4, 2007
    #1
    1. Advertising

  2. Frank Winkler

    allan16

    Joined:
    Aug 24, 2007
    Messages:
    14
    try using:

    clear configure access-list acl-name

    *it removes all acls under the acl-name specified
     
    allan16, Oct 4, 2007
    #2
    1. Advertising

  3. Frank Winkler

    mcaissie Guest

    You can do it with

    firewall(config)# clear configure access-list [acl-name]


    "Frank Winkler" <> wrote in message
    news:...
    > Hi there !
    >
    > In 6.3 it was possible to remove an entire ACL with "no acl <acl>". This
    > no longer works in PIX 7 - one has to remove every single line. Is this a
    > bug or a feature, am I doing wrong anything? What about v8?
    >
    > TIA
    >
    > fw
     
    mcaissie, Oct 4, 2007
    #3
  4. mcaissie wrote:

    >You can do it with
    >
    >firewall(config)# clear configure access-list [acl-name]


    What kind of syntax is that? Never seen.
    With the mentioned behavior, is it possible to delete single lines in an
    ACL without having to re-create the whole list?

    Regards

    fw
     
    Frank Winkler, Oct 5, 2007
    #4
  5. Frank Winkler

    Brian V Guest

    "Frank Winkler" <> wrote in message
    news:...
    > mcaissie wrote:
    >
    > >You can do it with
    > >
    > >firewall(config)# clear configure access-list [acl-name]

    >
    > What kind of syntax is that? Never seen.
    > With the mentioned behavior, is it possible to delete single lines in an
    > ACL without having to re-create the whole list?
    >
    > Regards
    >
    > fw


    You've always been able to delete individual lines on a Pix/ASA ACL, simply
    use the exact syntax. i.e no access-list outside permit tcp any host 1.1.1.1
    eq smtp
     
    Brian V, Oct 5, 2007
    #5
  6. Frank Winkler

    mcaissie Guest

    "Frank Winkler" <> wrote in message
    news:...
    > mcaissie wrote:
    >
    > >You can do it with
    > >
    > >firewall(config)# clear configure access-list [acl-name]

    >
    > What kind of syntax is that? Never seen.


    My guess is they removed the possibility to inadvertently delete
    a whole access-list when managing it .
     
    mcaissie, Oct 5, 2007
    #6
  7. Frank Winkler

    Scott Perry Guest

    Yes, you can either remove an entire access list or single entries from it.
    You can also insert an entry into the middle of an access list.

    PIX(config)# show access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    alert-interval 300
    access-list inbound; 4 elements
    access-list inbound line 1 remark * Telnet
    access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh
    (hitcnt=0)
    access-list inbound line 3 extended permit tcp any host 10.1.1.1 eq telnet
    (hitcnt=0)

    PIX(config)# access-list inbound line 3 remark * SSH
    PIX(config)# show access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    alert-interval 300
    access-list inbound; 4 elements
    access-list inbound line 1 remark * Telnet
    access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh
    (hitcnt=0)
    access-list inbound line 3 remark * SSH
    access-list inbound line 4 extended permit tcp any host 10.1.1.1 eq telnet
    (hitcnt=0)

    PIX(config)# no access-list inbound line 3 remark * SSH
    PIX(config)# show access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    alert-interval 300
    access-list inbound; 4 elements
    access-list inbound line 1 remark * Telnet
    access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh
    (hitcnt=0)
    access-list inbound line 3 extended permit tcp any host 10.1.1.1 eq telnet
    (hitcnt=0)

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    "Frank Winkler" <> wrote in message
    news:...
    > mcaissie wrote:
    >
    > >You can do it with
    > >
    > >firewall(config)# clear configure access-list [acl-name]

    >
    > What kind of syntax is that? Never seen.
    > With the mentioned behavior, is it possible to delete single lines in an
    > ACL without having to re-create the whole list?
    >
    > Regards
    >
    > fw
     
    Scott Perry, Oct 5, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SuperIce
    Replies:
    2
    Views:
    1,890
    James
    Oct 1, 2004
  2. AM
    Replies:
    1
    Views:
    457
    Walter Roberson
    Jun 22, 2005
  3. Replies:
    1
    Views:
    911
    Walter Roberson
    Dec 23, 2005
  4. Hmmmmmmm
    Replies:
    8
    Views:
    720
    Vincent Formosa
    Sep 28, 2004
  5. Scott Townsend
    Replies:
    4
    Views:
    2,644
    Walter Roberson
    Jun 7, 2006
Loading...

Share This Page