06-09-2008 05:59 AM
Is there such a tool (GUI perhaps) to easely create ACL's ?
Also, I've always been wondering why, when you create an acl then go back and try to add a line, that it wipes out all the acl...?!? How do you add 1 line to a complicated ACL list whithout retyping the whole ACL itself? Or is there no other choice?
Solved! Go to Solution.
06-09-2008 06:42 AM
Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.
With regard to the addition of an Access Control Entry (ACE) to an existing ACL:
Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"
Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).
Lets assume you saw this:
10 permit tcp any any eq www
20 permit tcp any any eq smtp
You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.
e.g.:
devicename(config) # ip access-list extended ACL-Example
devicename(config-ext-nacl) # 15 permit tcp any any eq ftp
devicename(config-ext-nacl) # ex
devicename(config) # ip access-list resequence ACL-Example 10 10
This would resequence the ACEs, starting at 10, and incrementing by 10.
Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:
e.g.:
10 permit tcp any any eq www
20 permit tcp any any eq ftp
30 permit tcp any any eq smtp
06-09-2008 06:42 AM
Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.
With regard to the addition of an Access Control Entry (ACE) to an existing ACL:
Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"
Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).
Lets assume you saw this:
10 permit tcp any any eq www
20 permit tcp any any eq smtp
You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.
e.g.:
devicename(config) # ip access-list extended ACL-Example
devicename(config-ext-nacl) # 15 permit tcp any any eq ftp
devicename(config-ext-nacl) # ex
devicename(config) # ip access-list resequence ACL-Example 10 10
This would resequence the ACEs, starting at 10, and incrementing by 10.
Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:
e.g.:
10 permit tcp any any eq www
20 permit tcp any any eq ftp
30 permit tcp any any eq smtp
06-09-2008 07:39 AM
Excellent !
Thanks for the reply, I did not know about this numbering ACL lines...
10-06-2012 03:21 AM
here we go I found a site that creates ACL for PIX/ASA and FWSM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: