Sam, I used to copy my list out to notepad and add the new line. Do a 'no access-list from-internet', then cut and paste the new one back in. Keep in mind this will briefly leave you with no access list on that interface. Then re-enter the 'access-group from-internet in interface outside' command, as it will remove it when you do the no access-list command.
You can also use subnet masks if you have a group of IP's, for example adding 10.10.10.0/29 would grant access to hosts 10.10.10.1 - 7 Someone here also posted a good link to some new features that are available in 6.2 that might be useful, http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech _note09186a00800d641d.shtml Kris. -----Original Message----- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add "access-list from-internet permit ip any host 10.10.10.2" before "access-list from-internet permit ip any host 10.10.10.4". What is the best way to do this? I thought maybe I would create a new list : access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question.... Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61037&t=61033 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]