cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6565
Views
0
Helpful
13
Replies

Access List Tool

efairbanks
Level 1
Level 1

Does anyone know of any ACL tool (preferably freeware) that will allow you to load an ACL and run an IP against it to see what line (if any) it hits? I have seen tools that allow you to manage ACLs, but haven't ran across anything that computes the logic.

Thanks in advance for any advice/assistance!

13 Replies 13

jan.nielsen
Level 7
Level 7

For the ASA, i believe the ASDM log will show you when something is allowed by an acl, what line in the acl it was hit by.

I am actually looking for a software application (or script) that you can point at a text file containing an ACL. It seems like a relatively simple and useful tool - I just haven't seen one.

Hi,

Within ASDM you have a tool called Packet Tracer. Does exactly what you want: Tools --> Packet tracer.

hth

Cheers

Stefan

Hi,

Packet Tracer (packet-tracer) is available from the CLI. It will generate and insert a packet into the data path to test the generated packet traversing the device.

Refer to http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1913020

godinerik
Level 1
Level 1

Hi,

I'm not aware of a freeware that does this. Maybe you can program one and share it with us :) In the mean time, like a few other people mentioned, there's the packet-tracer utility in the ASDM and there's also a CLI command called packet-tracer which will do exactly what you're asking (except it doesn't parse a text file)

Hah...I am NO programmer :)

I actually found a Master's thesis on the Ineternet drafted by a student who made one, but I couldn't find the actual utility anywhere. He included the code in his thesis... I will keep poking around. I support a DoD customer that is required to keep a massive ACL on their border router. We are frequently pinged with "I can't access this site" from customers. The first place we check is this ACL. If I had a nice little utility to parse the ACL offline, it would make our job a lot easier.

I know a couple programmers that might actually like to do this "for fun." I think they should spend more time chasing girls, but that is a whole different story :)

Programmers do chase after girls. They just think that programming is more fun. -:o)

With that being said, I'm no programmer, but I do write codes here and there to do what I need to.

Here are the codes that would do what (part of) you need to.

Notes:

- Freely distributed.

- You need ActivePerl (any version) installed on your PC.

- This script works only for tcp & udp flows with port numbers ("eq" and "range"). I'll add others variations later on, but no time right now.

- It won't work for the following flows:

a.b.c.d e.f.g.h ip

a.b.c.d e.f.g.h udp

a.b.c.d e.f.g.h tcp

- Protocols (tcp,udp,icmp,ip) should all be in lower case.

- This script should work perfectly in Windows. If you're using **nux, you might just need to modify the scripts a little bit.

- The flows file should be in tab delimited format as follows:

SrcIP DstIP Protocol Port

- Almost forgot to mention that you have to format the ACL file.

. Need to change "host a.b.c.d" -> "a.b.c.d 255.255.255.255"

. any -> 0.0.0.0 0.0.0.0

. Named ports into number. i.e. dns -> 53, snmp -> 161.

Last words, if you find these codes spaghetti, excuse me! I'm not a true programmer. Use it at your own risk!

Please check if solsoft firewall manager is appropriate for what you are looking for.

jiaowenbin
Level 1
Level 1

you can add a parameter " log " in the end of every ACL entry , such as

access-list 101 permit ip host 1.1.1.1 any log

access-list 101 permit ip host 2.2.2.2 any

access-list 101 permit ip host 3.3.3.3 any log

and they , show logging will show you what ip flow hits ...

GSA
Level 1
Level 1

emilcommerou
Level 1
Level 1

Cisco has this tool available online here:

https://cway.cisco.com/tools/accesslist/

login with your CCO account and you're good. Haven't tested it much, so no guarantees. :)

 

Under any circumstance I'd recommend to look at their tools collection here: https://www.cisco.com/c/en/us/support/web/tools-catalog.html

 

There's a lot of useful stuff in there.

 

daroot
Level 1
Level 1

I just released "Network Mom ACL Analyzer" in the MacOS 10.14 app store.

  1. It finds syntax errors, wildcards that don't align with subnets and CIDR's that are not on bit boundaries.
  2. It can determine if a specific TCP/UDP socket is permitted by a 50,000-line ACL in under 20 seconds.
  3. It can find "duplicate" ACL lines!  (Duplicate means the earlier line is a strict superset of the later line).  Finding duplicates in a 2,000-line ACL takes 3-10 seconds.  Finding duplicates in a 10,000 ACL takes a few minutes (doubling the size of the ACL quadruples the analysis time).

"Network Mom ACL Analyzer" currently supports IPv4 security ACLs for the following platforms:

  1. IOS (without object-groups)
  2. IOS-XR (with object-groups)
  3. NX-OS (with object-groups)
  4. ASA (with network object-groups but not service object-groups).

As of July 2019 IOS-XE and IPv6 are under active development.

For the security of your ACLs, the tool passed Apple App Store Review and runs with the Apple "application sandbox" and "hardened runtime" features enabled.  In particular the sandbox is set to prevent all network connections to or from the analyzer (a side effect is the analyzer does not support DNS lookup of hosts in ACL configurations).

I do have a nominal charge for the app (basically, if you're using my 10,000 lines of Swift source code, you're buying me lunch ;-)

Darrell Root

CCIE Emeritus #8302

cisco IOS access-list verification tool
https://aclcheck.ru
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: