ACL maker

Answered Question
Jun 9th, 2008

Is there such a tool (GUI perhaps) to easely create ACL's ?

Also, I've always been wondering why, when you create an acl then go back and try to add a line, that it wipes out all the acl...?!? How do you add 1 line to a complicated ACL list whithout retyping the whole ACL itself? Or is there no other choice?

I have this problem too.
0 votes
Correct Answer by michael.leblanc about 8 years 7 months ago

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.

http://www.wireshark.org/

With regard to the addition of an Access Control Entry (ACE) to an existing ACL:

Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

10 permit tcp any any eq www

20 permit tcp any any eq smtp

You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.

e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:

e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
michael.leblanc Mon, 06/09/2008 - 06:42

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.

http://www.wireshark.org/

With regard to the addition of an Access Control Entry (ACE) to an existing ACL:

Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

10 permit tcp any any eq www

20 permit tcp any any eq smtp

You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.

e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:

e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp

pipsadmin Mon, 06/09/2008 - 07:39

Excellent !

Thanks for the reply, I did not know about this numbering ACL lines...

Actions

This Discussion