Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL maker

Is there such a tool (GUI perhaps) to easely create ACL's ?

Also, I've always been wondering why, when you create an acl then go back and try to add a line, that it wipes out all the acl...?!? How do you add 1 line to a complicated ACL list whithout retyping the whole ACL itself? Or is there no other choice?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL maker

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.

http://www.wireshark.org/

With regard to the addition of an Access Control Entry (ACE) to an existing ACL:

Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

10 permit tcp any any eq www

20 permit tcp any any eq smtp

You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.

e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:

e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp

3 REPLIES

Re: ACL maker

Wireshark has the ability to create an ACL from a captured packet. Navigate as follows: Wireshark | Analyze menu | Firewall ACL Rules.

http://www.wireshark.org/

With regard to the addition of an Access Control Entry (ACE) to an existing ACL:

Let's assume you had an ACL named ACL-Example. Do a "show ip access-list ACL-Example"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

10 permit tcp any any eq www

20 permit tcp any any eq smtp

You might decide that you wanted to place a new ACE between these two ACEs. You would specify a sequence number between 10 and 20.

e.g.:

devicename(config) # ip access-list extended ACL-Example

devicename(config-ext-nacl) # 15 permit tcp any any eq ftp

devicename(config-ext-nacl) # ex

devicename(config) # ip access-list resequence ACL-Example 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Example", and verify the result:

e.g.:

10 permit tcp any any eq www

20 permit tcp any any eq ftp

30 permit tcp any any eq smtp

New Member

Re: ACL maker

Excellent !

Thanks for the reply, I did not know about this numbering ACL lines...

New Member

ACL maker

here we go I found a site that creates ACL for PIX/ASA and FWSM

http://freeacl.com/

3397
Views
0
Helpful
3
Replies