Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List Tool

Does anyone know of any ACL tool (preferably freeware) that will allow you to load an ACL and run an IP against it to see what line (if any) it hits? I have seen tools that allow you to manage ACLs, but haven't ran across anything that computes the logic.

Thanks in advance for any advice/assistance!

9 REPLIES

Re: Access List Tool

For the ASA, i believe the ASDM log will show you when something is allowed by an acl, what line in the acl it was hit by.

New Member

Re: Access List Tool

I am actually looking for a software application (or script) that you can point at a text file containing an ACL. It seems like a relatively simple and useful tool - I just haven't seen one.

Cisco Employee

Re: Access List Tool

Hi,

Within ASDM you have a tool called Packet Tracer. Does exactly what you want: Tools --> Packet tracer.

hth

Cheers

Stefan

New Member

Re: Access List Tool

Hi,

Packet Tracer (packet-tracer) is available from the CLI. It will generate and insert a packet into the data path to test the generated packet traversing the device.

Refer to http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1913020

New Member

Re: Access List Tool

Hi,

I'm not aware of a freeware that does this. Maybe you can program one and share it with us :) In the mean time, like a few other people mentioned, there's the packet-tracer utility in the ASDM and there's also a CLI command called packet-tracer which will do exactly what you're asking (except it doesn't parse a text file)

New Member

Re: Access List Tool

Hah...I am NO programmer :)

I actually found a Master's thesis on the Ineternet drafted by a student who made one, but I couldn't find the actual utility anywhere. He included the code in his thesis... I will keep poking around. I support a DoD customer that is required to keep a massive ACL on their border router. We are frequently pinged with "I can't access this site" from customers. The first place we check is this ACL. If I had a nice little utility to parse the ACL offline, it would make our job a lot easier.

I know a couple programmers that might actually like to do this "for fun." I think they should spend more time chasing girls, but that is a whole different story :)

New Member

Re: Access List Tool

Programmers do chase after girls. They just think that programming is more fun. -:o)

With that being said, I'm no programmer, but I do write codes here and there to do what I need to.

Here are the codes that would do what (part of) you need to.

Notes:

- Freely distributed.

- You need ActivePerl (any version) installed on your PC.

- This script works only for tcp & udp flows with port numbers ("eq" and "range"). I'll add others variations later on, but no time right now.

- It won't work for the following flows:

a.b.c.d e.f.g.h ip

a.b.c.d e.f.g.h udp

a.b.c.d e.f.g.h tcp

- Protocols (tcp,udp,icmp,ip) should all be in lower case.

- This script should work perfectly in Windows. If you're using **nux, you might just need to modify the scripts a little bit.

- The flows file should be in tab delimited format as follows:

SrcIP DstIP Protocol Port

- Almost forgot to mention that you have to format the ACL file.

. Need to change "host a.b.c.d" -> "a.b.c.d 255.255.255.255"

. any -> 0.0.0.0 0.0.0.0

. Named ports into number. i.e. dns -> 53, snmp -> 161.

Last words, if you find these codes spaghetti, excuse me! I'm not a true programmer. Use it at your own risk!

New Member

Re: Access List Tool

Please check if solsoft firewall manager is appropriate for what you are looking for.

New Member

Re: Access List Tool

you can add a parameter " log " in the end of every ACL entry , such as

access-list 101 permit ip host 1.1.1.1 any log

access-list 101 permit ip host 2.2.2.2 any

access-list 101 permit ip host 3.3.3.3 any log

and they , show logging will show you what ip flow hits ...

1686
Views
0
Helpful
9
Replies
CreatePlease to create content