- There are essentially three steps when adding an allow rule to an already existent firewall configuration in AOS:
First, you must create an access-list that will match traffic you want to allow. In your case this access-list would look something like this:
ip access-list extended TEST
permit ip 10.7.54.0 255.255.255.128 10.7.60.0 255.255.252.0
Second, you must add this rule to the policy that is assigned to the interface where this traffic will be coming into. Based on your configuration, this would be the policy-class Private that is assigned to interface eth 0/1.1
ip policy-class Private
allow list TEST
It is important to keep in mind that order matters. You want your most selective rule at the top and your broader rules at the bottom. A packet will check for a match on the policy-class going top to bottom, so if it finds a match, the rules at the bottom will not be checked.
The policy-class Private should look like this:
ip policy-class Private
allow list TEST
allow list self self
nat source list wizard-ics interface eth 0/2 overload
In the GUI, you can simply rearrange the rules in the order you want. However, in the CLI, you will need to delete the rules in the policy-class, and re-add them in the order you want.
I hope this answers your question, but please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
