ACLs in PIX 7 and above

You can do it with

firewall(config)# clear configure access-list [acl-name]

What kind of syntax is that? Never seen. With the mentioned behavior, is it possible to delete single lines in an ACL without having to re-create the whole list?

Regards

fw

You've always been able to delete individual lines on a Pix/ASA ACL, simply use the exact syntax. i.e no access-list outside permit tcp any host 1.1.1.1 eq smtp

My guess is they removed the possibility to inadvertently delete a whole access-list when managing it .

Yes, you can either remove an entire access list or single entries from it. You can also insert an entry into the middle of an access list.

PIX(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inbound; 4 elements access-list inbound line 1 remark * Telnet access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh (hitcnt=0) access-list inbound line 3 extended permit tcp any host 10.1.1.1 eq telnet (hitcnt=0)

PIX(config)# access-list inbound line 3 remark * SSH PIX(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inbound; 4 elements access-list inbound line 1 remark * Telnet access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh (hitcnt=0) access-list inbound line 3 remark * SSH access-list inbound line 4 extended permit tcp any host 10.1.1.1 eq telnet (hitcnt=0)

PIX(config)# no access-list inbound line 3 remark * SSH PIX(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inbound; 4 elements access-list inbound line 1 remark * Telnet access-list inbound line 2 extended permit tcp any host 10.1.1.1 eq ssh (hitcnt=0) access-list inbound line 3 extended permit tcp any host 10.1.1.1 eq telnet (hitcnt=0)