cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9243
Views
5
Helpful
3
Replies

ACL maker

pipsadmin
Level 1
Level 1

Is there such a tool (GUI perhaps) to easely create ACL's ?

Also, I've always been wondering why, when you create an acl then go back and try to add a line, that it wipes out all the acl...?!? How do you add 1 line to a complicated ACL list whithout retyping the whole ACL itself? Or is there no other choice?

1 Accepted Solution

Accepted Solutions

michael.leblanc
Level 4
Level 4

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.

http://www.wireshark.org/

With regard to the addition of an Access Control Entry (ACE) to an existing ACL:

Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

10 permit tcp any any eq www

20 permit tcp any any eq smtp

You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.

e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:

e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp

View solution in original post

3 Replies 3

michael.leblanc
Level 4
Level 4

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.

http://www.wireshark.org/

With regard to the addition of an Access Control Entry (ACE) to an existing ACL:

Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

10 permit tcp any any eq www

20 permit tcp any any eq smtp

You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.

e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:

e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp

Excellent !

Thanks for the reply, I did not know about this numbering ACL lines...

sneakster1
Level 1
Level 1

here we go I found a site that creates ACL for PIX/ASA and FWSM

http://freeacl.com/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco