Are PIX access-lists processed top to bottom?

[rustyrustynail]

Hi Experts

Can someone confirm please if PIX access-lists are processed top to bottom. If yes, how can I change the order of the access-lists?

My config includes the following three lines in the same order as shown below.

access-list acl-outside deny ip any any
access-list acl-outside permit tcp any host 85.90.xxx.xx eq www
access-list acl-outside permit tcp any host 85.90.xxx.xx eq https

The 2nd and 3rd lines that allow access to the 85.90.xxx.xx address are not working and the resources is not accessible from the Internet.

Is this because of the order of the access-lists? How can I change it?

Will greatly appreciate any help. Thanks.

PIX Newbie.

 

[rustyrustynail]

Update:

I just noticed the first line access-list shows "deny ip any any" and not "deny tcp any any" so this may be totally irrelevant and not have an effect on the other access-lists below it which have tcp as the protocol. Confirmation anyone?

 

[North323]

access lists are processed top down. your last line of the access list should read access-list name tcp deny any any

what version of pix is this? if its 501, the show access-list should give you the number line like

access-list name line 1 permit x.x.x.x any any

if its pix 515 you will have to go into config t
no access-list acl-outside deny ip any any
access-list acl-outside deny ip any any

its weird but will put it at the bottom

 

[rustyrustynail]

Thanks North, this worked like a charm! You're a star!

P.S. It's a 506E I've got.