Access List Tool

Unanswered Question
Oct 6th, 2009

Does anyone know of any ACL tool (preferably freeware) that will allow you to load an ACL and run an IP against it to see what line (if any) it hits? I have seen tools that allow you to manage ACLs, but haven't ran across anything that computes the logic.

Thanks in advance for any advice/assistance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Tue, 10/06/2009 - 16:14

For the ASA, i believe the ASDM log will show you when something is allowed by an acl, what line in the acl it was hit by.

efairbanks Tue, 10/06/2009 - 16:18

I am actually looking for a software application (or script) that you can point at a text file containing an ACL. It seems like a relatively simple and useful tool - I just haven't seen one.

savgoust Wed, 10/07/2009 - 21:57


Within ASDM you have a tool called Packet Tracer. Does exactly what you want: Tools --> Packet tracer.




godinerik Thu, 10/08/2009 - 21:51


I'm not aware of a freeware that does this. Maybe you can program one and share it with us :) In the mean time, like a few other people mentioned, there's the packet-tracer utility in the ASDM and there's also a CLI command called packet-tracer which will do exactly what you're asking (except it doesn't parse a text file)

efairbanks Thu, 10/08/2009 - 22:14

Hah...I am NO programmer :)

I actually found a Master's thesis on the Ineternet drafted by a student who made one, but I couldn't find the actual utility anywhere. He included the code in his thesis... I will keep poking around. I support a DoD customer that is required to keep a massive ACL on their border router. We are frequently pinged with "I can't access this site" from customers. The first place we check is this ACL. If I had a nice little utility to parse the ACL offline, it would make our job a lot easier.

I know a couple programmers that might actually like to do this "for fun." I think they should spend more time chasing girls, but that is a whole different story :)

binhkdinh Fri, 10/09/2009 - 09:52

Programmers do chase after girls. They just think that programming is more fun. -:o)

With that being said, I'm no programmer, but I do write codes here and there to do what I need to.

Here are the codes that would do what (part of) you need to.


- Freely distributed.

- You need ActivePerl (any version) installed on your PC.

- This script works only for tcp & udp flows with port numbers ("eq" and "range"). I'll add others variations later on, but no time right now.

- It won't work for the following flows:

a.b.c.d e.f.g.h ip

a.b.c.d e.f.g.h udp

a.b.c.d e.f.g.h tcp

- Protocols (tcp,udp,icmp,ip) should all be in lower case.

- This script should work perfectly in Windows. If you're using **nux, you might just need to modify the scripts a little bit.

- The flows file should be in tab delimited format as follows:

SrcIP DstIP Protocol Port

- Almost forgot to mention that you have to format the ACL file.

. Need to change "host a.b.c.d" -> "a.b.c.d"

. any ->

. Named ports into number. i.e. dns -> 53, snmp -> 161.

Last words, if you find these codes spaghetti, excuse me! I'm not a true programmer. Use it at your own risk!

Saurabh Kishore Fri, 10/09/2009 - 12:25

Please check if solsoft firewall manager is appropriate for what you are looking for.

jiaowenbin Fri, 10/09/2009 - 21:23

you can add a parameter " log " in the end of every ACL entry , such as

access-list 101 permit ip host any log

access-list 101 permit ip host any

access-list 101 permit ip host any log

and they , show logging will show you what ip flow hits ...


This Discussion