The statement below does not sound correct. Please check the following link :
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/ mngacl.htm (watch for line wrap) It says : Allowing Inbound Connections By default, the PIX Firewall denies access to an internal or perimeter (more secure) network from an external (less secure) network. You specifically allow inbound connections by using access lists. Access lists work on a first-match basis, so for inbound access, you must deny first and then permit after. So it is not a longest match, but rather a first match... For the original question of "adding a rule line in the middle of a list easily using CLI", I think copy/paste is the fastest method. Here is an example : Assume following is your current access-list : access-list acl_in permit tcp any host xx.xx.xx.xx eq www access-list acl_in permit tcp any host xx.xx.xx.xx eq ftp access-list acl_in permit tcp any any eq www access-list acl_in deny tcp any any Now, to add line " access-list acl_in deny ip host 10.10.10.10 any eq icmp" as the second line in the list copy the folowing text and paste it to the PIX. ************************************************************************ ** no access-list acl_in permit tcp any host xx.xx.xx.xx eq ftp no access-list acl_in permit tcp any any eq www no access-list acl_in deny tcp any any access-list acl_in deny ip host 10.10.10.10 any eq icmp access-list acl_in permit tcp any host xx.xx.xx.xx eq ftp access-list acl_in permit tcp any any eq www access-list acl_in deny tcp any any ************************************************************************ Note that, with this method, there is a time of "delta t" which may deny some access to inboud traffic (due to implicit deny at the end of the list) or grant access to outbound traffic (due to implicit permit at the end of the list if the traffic is to a less secure interface) This is not a security leak though... Best regards, Ufuk Yasibeyli >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] >Sent: 08 May}s 2002 Gar~amba 19:56 >To: [EMAIL PROTECTED] >Subject: RE: pix access-list [7:43595] > > >Hi, > >The access-list configured on the PIX does not get processed in the order in which >you put the access-list (i.e top down approach)...It works very much like how a router >selects the route based on the longest prefix. And when there is mix of permit and deny >statements.Always keep your deny statements at the top and all your permit at the bottom. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43737&t=43595 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
