Question : pix 515e access-list editing

I need to add smtp and pptp to an existing pix setup on a 515e. Since the person who set it up put an implicit deny at the end that means I have to delete old access-list and create a new one. My question is is there anything in the config flie below that might create a problem editing. Also I'm I right that I have to delete old access-list recreate new one. PIX version 6.3. If I could the correct syntax I would appreciate it. All ips have been changed.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kwT2Qyt5W3.IC3f6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname od-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list out_int permit tcp any host 10.10.10.135 eq www
access-list out_int deny ip any any
access-list in_int deny tcp any any eq 135
access-list in_int deny tcp any any eq 4444
access-list in_int deny udp any any eq tftp
access-list in_int permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.1.254 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit name check attack action alarm reset
ip audit interface outside check
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.10 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp .145 www 192.168.1.145 www netmask 255.255
.255.255 0 0
access-group out_int in interface outside
access-group in_int in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:442f27e0d1ac58ebc6a184aa05819643
: end

Answer : pix 515e access-list editing

no you don't have to restart, just do 'write mem' to save your changes

the other commands look fine to me...with one problem - GRE isn't TCP port 47, it's protocol 47

try this instead:
access-list out_int permit gre any host 172.16.1.2

also, as PennGwynn mentioned, it's probably best to just remove the 'deny' rule, and by default everything not specifically permitted will be denied...this makes things easier for you. I gave you the syntax for removing the deny line in my first post, using 'no'

HTH

Random Solutions

How do I setup multi-tenant on an Asterisk server

Run login script minimized

GP user logon scripts fails

telnet exchange5.5 @25

Given a new IP Address but with running dcdiag it points to the old IP address

How many hosts in a VLAN Broadcast Domain?

3com NBX 5000 Version 5_0_6 HELP! Call hangs up after dialing a number

Can't find IP of Netgear PS110 Print Server running on Novell 4.x

Connecting 2 Remote Offices To Corporate LAN

white listing IPs that end in 0/22