Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Modify ACL on the fly without incurring downtime

Status
Not open for further replies.
Imprezin

Imprezin

Technical User
Jul 22, 2003
11
0
0
US

Hi, we are currently using a Pix515 and have the following ACL configured. I would like to add .47 remotely but have not had much luck with this in the past. What I mean is modifying the ACL on the fly will cause me to lose connection to the pix. Should I add just this one line or paste the entire ACL while in config mode.

access-list acl_inbound permit tcp any host x.x.x.40 eq https
access-list acl_inbound permit tcp any host x.x.x.41 eq https
access-list acl_inbound permit tcp any host x.x.x.42 eq 3389
access-list acl_inbound permit tcp any host x.x.x.41 eq smtp
access-list acl_inbound permit tcp any host x.x.x.43 eq 3389
access-list acl_inbound permit tcp any host x.x.x.44 eq 3389

access-list acl_inbound permit tcp any host x.x.x.47 eq 3389

Thanks for the help.
John C.
 
Sort by date Sort by votes
You can just add it on the fly. As long as it doesn't use any of the connection elements of your remote session you should be fine.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
You should be able to do a "show access-list" and have it display the access list entries line by line. Then you can add or remove entries on a line by line basis.

ex.

Code: 
access-list 101 line 1 extended permit tcp any any eq 80
access-list 101 line 2 extended permit udp any any eq 1234
....
access-list 101 line 45 extended permit tcp any any eq 5432

Now to add a line in you would do something like this:

Code: 
access-list 101 line # permit/deny protocal src dst eq 1234
Replace # with the line number you want the new entry to be at.
 
Upvote 0 Downvote

Supergrrover, thank you for that piece of information. I misunderstood completely how the ACL would behave when making changes on the fly.

baddos, thank you as well for the line# piece this will help greatly when adding deny statements.

Also, I waited until after hours to apply the changes hence the late response. Fortunately, I am adding a development server and there was no rush. Everything went smooth after adding the following line.

access-list acl_inbound line 7 permit tcp any host x.x.x.47 eq 3389

Thanks again for the help.

John C.



 
Upvote 0 Downvote
Be sure to
wri mem

to save the changes to the startup config.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
47
tklamb
tklamb
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
122
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
62
Russtoleum
Russtoleum
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top