The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was "hit"
as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Why don't you try removing the line you want it to be below (as well as the > deny ip any any at the end) then put in the new line, the next line(s) and > the deny line? > > ie > no access-list from-internet permit ip any host 10.10.10.4 > no access-list from-internet permit ip any host 10.10.10.5 > no access-list from-internet deny ip any any > > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > no access-list from-internet deny ip any any > > That should leave you with > > access-list from-internet permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > access-list from-internet deny ip any any > > Its a little shuffling but it gets you there ;) Is there any reason other > than numerical order that the 10.10.10.2 line needs to be above the > 10.10.10.2 line since they're all permits anyway? > > Also, for my own interest, is the deny ip any any required? I was of the > impression that everything was closed until you opened it which means there > should already be an implicit deny ip any any.. ? > > Em > > > > > -----Original Message----- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 15 January 2003 3:29 AM > To: [EMAIL PROTECTED] > Subject: applying PIX access-lists [7:61033] > > > I am new to PIX and have a simple question. What methods do you (PIX Admins) > use to change and apply access-lists. Unlike IOS access-lists it seems you > can remove statements from the middle of the list. When you do this does the > change occur immediately or do you have to reapply the access-group? Do you > need to do clear xlate after changing access-lists? > > how about the following scenatio: > > I have PIX that has interface outside with the follwoing access-list: > > access-list from-internet permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > access-list from-internet deny ip any any > > and > > access-group from-internet in interface outside > > now I want to add "access-list from-internet permit ip any host 10.10.10.2" > before "access-list from-internet permit ip any host 10.10.10.4". > > What is the best way to do this? > I thought maybe I would create a new list : > > access-list from-internet2 permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet2 permit ip any host 10.10.10.4 > access-list from-internet2 permit ip any host 10.10.10.5 > access-list from-internet2 deny ip any any > > than remove the old and apply the new one in successive commands. > Is this the standard way of amking changes or do you more experienced admins > have a better way. I'm migrating from a checkpoint environment so this > wasn't an issue when administering them. > > How about this for a good question.... Why aren't the access-lists on the > PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and > easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61062&t=61033 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
