Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie Questions on PIX

Status
Not open for further replies.
kfriend

kfriend

MIS
Feb 10, 2003
50
US
Hello,

I have two questions:
#1-Is there a way of clearing out only one mistake entry?
Suppose I am using names, and I put in a bogus IP address by mistake:
names
name SomeHost Valid_But_Wrong_IP

Is there a way of cleaning out JUST that entry? I tried:
clear name SomeHost
but that wiped out everyone. =/

Also, is there a good way to script access-lists? I have a host-allow file from a unix server, and I realize it's going to take quite awhile to put in access lists for it.

Any input would be greatly appeciated. Thanks.

 
Sort by date Sort by votes
shows you how much of a newb I really am..on the names example it should have been

names
name Valid_But_Bogus_IP SomeHost

and I want to clear JUST THAT ENTRY...not all of them
 
Upvote 0 Downvote
Lets say this is your existing ACL

access-list inside_out permit tcp any host MY.PRV.NET.8 eq www
access-list inside_out permit tcp any host MY.PRV.NET.11 eq www

and you wanted to enable SSL on the .8 server

Cisco recommends you remove and recreate the ACL each time you make a change and then reapply it to the interface.

This is because the ACL is read and applied in from top to bottom. If your ACL is very long and you are about to add a statement that will get very high number of hits, it will be added at the very end of the ACL and the PIX will need to read the entire ACL so many times to find the added statement.

This, by the way, is a good reason to do regular "show access-list" command. It shows you the number of hits to each entry and you can reorganize the ACLs to meet the usage demands.

I copy and paste the existing ACL into notepad, go to the top of the file and add a "conf t" and a "no access-list ..." statement, then insert the desired entry to the appropriate place in the ACL and then reapply it to the desired interface. I also add the command to write the config to memory, to standby (if you have failover,) and finally a clear xlate statement.

Then I only need to be at the terminal or telnetted in and copy/paste the complete contents in.

;enter config mode
conf t
;remove the existing ACL
no access-list inside_out
;recreate the ACL
access-list inside_out permit tcp any host MY.PRV.NET.8 eq www
;adding https on the .8 server
access-list inside_out permit tcp any host MY.PRV.NET.8 eq https
access-list inside_out permit tcp any host MY.PRV.NET.11 eq www
access-group inside_out in interface inside
wr mem
wr stand
clear xlate

 
Upvote 0 Downvote
haknwak -- Thanks for the input.

So, the only way to delete one entry, is to show the entire ACL (show access-list), copy it to notepad, delete it on the pix, remove said entry from notepad, and paste it back into the pix console?

curious, will the pix take the pasted commands w/ carriage returns and everything?



 
Upvote 0 Downvote
Taking pasted commands depends on how you access the PIX. I use them frequently with a simple Hypertem connection by doing a paste-to-host.

-gbiello
 
Upvote 0 Downvote
HI.

> Is there a way of cleaning out JUST that entry?
Try the "no" prefix:

no name ...

If you have a new pix system, I recommend that you try to use PDM - the GUI interface of the pix.
It can be easier for both newbie and experienced users (at least I think so), and when you manage access-list for example, it will deal with the process of recreating it if needed by itself.
PDM is not perfect, but most of the tasks can be done with it.

> Also, is there a good way to script access-lists?
I think that it is best for you to manualy add those entries one by one, because:
* The Unix configuration probably does not match nor follow the exact same logic as the pix scenario, so automating the migrate process will probably be more dificult then manual addition of rules.
* How many rules do you have? More then 50?
* Manual addition will give you more control over the process.
* You're a pix newbie.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
kfriend - Hyperterminal "paste to host" and copy\paste in telnet both work fine. And btw - there is no real REM or COMMENT character in PIX but the semicolon as I put in here will just give an error that it was not a command and pass that statement by. It's nice so you can remember what you did and why.
 
Upvote 0 Downvote
and kfriend - no you don't have to remove the entire ACL to remove a single statement - as yizhar said - if you just want to delete an entry, put a no in front of the statement(s) you want to remove and paste in in config mode. - I do that all the time too if I'm not replacing or adding statements.

for example a simple
no access-list inside_out permit tcp any host MY.PRV.NET.8 eq https
works fine to remove the entry
 
Upvote 0 Downvote
thanks again for the information everyone. I think I am going to continue the fight in CLI rather than use a GUI. At least then I should understand what I'm doing...maybe not though.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
730
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
170
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
180
mcisar
mcisar
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
153
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top