ACL maker

Answered Question
Jun 9th, 2008
User Badges:

Is there such a tool (GUI perhaps) to easely create ACL's ?


Also, I've always been wondering why, when you create an acl then go back and try to add a line, that it wipes out all the acl...?!? How do you add 1 line to a complicated ACL list whithout retyping the whole ACL itself? Or is there no other choice?



Correct Answer by michael.leblanc about 8 years 11 months ago

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.


http://www.wireshark.org/



With regard to the addition of an Access Control Entry (ACE) to an existing ACL:


Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"


Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).


Lets assume you saw this:


10 permit tcp any any eq www

20 permit tcp any any eq smtp


You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.


e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10


This would resequence the ACEs, starting at 10, and incrementing by 10.


Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:


e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
michael.leblanc Mon, 06/09/2008 - 06:42
User Badges:
  • Silver, 250 points or more

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.


http://www.wireshark.org/



With regard to the addition of an Access Control Entry (ACE) to an existing ACL:


Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"


Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).


Lets assume you saw this:


10 permit tcp any any eq www

20 permit tcp any any eq smtp


You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.


e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10


This would resequence the ACEs, starting at 10, and incrementing by 10.


Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:


e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp


pipsadmin Mon, 06/09/2008 - 07:39
User Badges:

Excellent !


Thanks for the reply, I did not know about this numbering ACL lines...

Actions

This Discussion