Question : pix 515e access-list editing

I need to add smtp and pptp to an existing pix setup on a 515e. Since the person who set it up put an implicit deny at the end that means I have to delete old access-list and create a new one. My question is is there anything in the config flie below that might create a problem editing. Also I'm I right that I have to delete old access-list recreate new one. PIX version 6.3. If I could the correct syntax I would appreciate it. All ips have been changed.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kwT2Qyt5W3.IC3f6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname od-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out_int permit tcp any host 10.10.10.135 eq www
access-list out_int deny ip any any
access-list in_int deny tcp any any eq 135
access-list in_int deny tcp any any eq 4444
access-list in_int deny udp any any eq tftp
access-list in_int permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit name check attack action alarm reset
ip audit interface outside check
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.10 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp .145 www 192.168.1.145 www netmask 255.255
.255.255 0 0
access-group out_int in interface outside
access-group in_int in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:442f27e0d1ac58ebc6a184aa05819643
: end

Answer : pix 515e access-list editing

no you don't have to restart, just do 'write mem' to save your changes

the other commands look fine to me...with one problem - GRE isn't TCP port 47, it's protocol 47

try this instead:
access-list out_int permit gre any host 172.16.1.2

also, as PennGwynn mentioned, it's probably best to just remove the 'deny' rule, and by default everything not specifically permitted will be denied...this makes things easier for you. I gave you the syntax for removing the deny line in my first post, using 'no'

HTH

Random Solutions

error 0x800cc79 in outlook express when trying to reply to emails using optus mobile broadband

vmware use dual nic?

VBScript login scripting - One Last Q

NIC Agent: Connectivity has been lost for the NIC in slot 1, port 1 - regularly reported in Microsoft Small Business Server 2003 Premium Server Performance Report.

Connection failure to VPN thru Cisco VPN client Reason:412

DNS mess duplicate entries with different IP

NT 4 Account Policy

I need to install wireless for a 40 story building - any ideas?