Cisco ASA/PIX: Adding lines in middle of access-list
src: http://serverfault.com/questions/244981/changing-asa-access-lists-on-the-fly
Adding line x
to a line after the ACL name will insert it at that point in the list.
So, if you have:
access-list outside_in extended udp deny any any
access-list outside_in extended icmp deny any any
and you run:
access-list outside_in line 2 extended tcp deny any any
your config will end up as:
access-list outside_in extended udp deny any any
access-list outside_in extended tcp deny any any
access-list outside_in extended icmp deny any any
IP is inclusive of udp, tcp, and icmp; blocking IP will block all of these. So, in your config above, only the top rule will get hit.