Is it true that the behavior of an ACL differs by a bit between PIX a routers.
I can seen on my PIX 6.3(4) that I need to apply the ACL with the command "access-group" for the ACL to take effect. In this way I can modify the ACL the way I like without taking care of the traffic flowing through the device. I always modified ACLs using PDM but now I need to use CLI.
You have a couple of choices in modifyng an acl in the PIX through cli.
-First you create a new one then you apply it with the command access-group. The advantage is that you keep a copy of your old one and you can undo your changes easily with the access-group command. And if you make mistakes when creating the new one, you want screw up anything since it's not effective until you activate it with the access-group command . I would say it's the beginners choice.
- One other way is to make changes live in the acl without bothering with the access-group command. To do that , first do a sh [acl]
Ex: sh a-in
access-list a-in line 1 permit tcp host 10.220.56.146 any eq smtp (hitcnt=66921) access-list a-in line 2 deny tcp any any eq smtp (hitcnt=560) access-list a-in line 3 permit ip 10.220.56.0 255.255.248.0 any (hitcnt=2175310) access-list a-in line 4 deny ip any any (hitcnt=0)
You can see you now have the line # parameter appearing .
To delete a single line you have to "no" the line including the line #
Ex: if i do no access-list a-in line 2 deny tcp any any eq smtp ( you have to specify the whole line , "no access-list a-in line 2" , would do nothing)
then i get sh a-in access-list a-in line 1 permit tcp host 10.220.56.146 any eq smtp (hitcnt=66921) access-list a-in line 2 permit ip 10.220.56.0 255.255.248.0 any (hitcnt=2175310) access-list a-in line 3 deny ip any any (hitcnt=0
To insert a line just add the line # where you want to insert it
access-list a-in line 3 deny tcp any any eq smtp and i now have access-list a-in line 1 permit tcp host 10.220.56.146 any eq smtp (hitcnt=66921) access-list a-in line 2 permit ip 10.220.56.0 255.255.248.0 any (hitcnt=2175310) access-list a-in line 3 deny tcp any any eq smtp (hitcnt=0) access-list a-in line 4deny ip any any (hitcnt=0
Changes will be effective immediately
-The third way is to use object-groups . For example i could create a group for smtp servers
I don't think so on the fact that PDM always perform the command "access-group" after having changed the ACL. Maybe is an over work to be sure that the new ACL applies to the interface where it already worked but it behaves so.
If you modify an existing acl then it is already bound to the interface so you don't need to do it again. I usually do as mcaisse suggested, either insert or delete lines using the line numbers or create rules with object groups and then just add items to the groups. It has immediate effect. You don't need to re-apply it.
there's more. i noticed today in 63.(4) that in a running pix if you remove the acl with the "clear access-list" command you need, after regenerating the acl, to reapply the "access-group" vecause the "clear access-list" removes not only the access list by the access-group also.
This is VERY different from IOS where you can remove an acl and regenerate it from scratch WITHOUT the need to reapply that to the interfaces.
Yes, that is correct. You also have to be careful about removing the ACL used for a crypto map, as the corresponding line will be removed automatically and a partial crypto-map will result. partial crypto-maps may act oddly, including [if I recall the documentation correctly] matching -all- traffic :(
Essentially, if you remove an access-list, the PIX will automatically delete all lines that reference the access-list. Sometimes it is smart enough to refuse to allow you to remove the list while there are still references.