Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any.
Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue "sh access-list" command. it shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 & 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/