Search 85,960 posts and 653 resources contributed by 43,625 members or post a topic.

Already Joined? Sign in
Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

Page 1 of 1 (12 items) | RSS

rated by 0 users
Answered (Verified) This post has 2 verified answers | 11 Replies | 2 Followers | 958 Views


6 Posts
Points 16
rmaxam posted on Fri, Nov 13 2009 3:21 PM
rated by 0 users

After upgrading to 4.10... I saw the new Cisco ACL editor gadget and was curious to give it a try.

First thing I observed is that it doesn't appear to support 'named' ACL groups - No acl entries are displayed when I try to show/filter on a specific group name.

Secondly.. in those router configurations where I am using numbered access lists, the utility seems to 'miss' some of the groups that I have defined. The acl group(s) in question, don't even appear in the 'show group' list.  And in other cases it will display a configured group, but it doesn't list out all of its specific ACL entries.

Was curious to know if anyone else is experiencing the same kind behavior?

Thanks

  • | Post Points: 3

Answered (Verified) Verified Answers


263 Posts
Points 1,206
SolarWinds Employee
Answered (Verified) floyd.may replied on Mon, Nov 16 2009 1:09 PM
rated by 0 users
grammar_files.zip
Verified by rmaxam

I have a fix for you.  The attached zip file has a couple of XML files in it, Grammar.xml and extended_acl.xml.  Replace the files at C:\Program Files\SolarWinds\Toolset\Grammar\ with the attached files.  Be sure to back up the existing files, and restart Workspace Studio.  Please post back and let me know if this gives you the behavior you expect.

Thanks!

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 23

263 Posts
Points 1,206
SolarWinds Employee
Answered (Verified) floyd.may replied on Mon, Nov 16 2009 3:43 PM
rated by 0 users
Grammar.zip
Verified by rmaxam

Found the problem.  New file attached.  Replace same as before.

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 23

All Replies


263 Posts
Points 1,206
SolarWinds Employee
floyd.may replied on Fri, Nov 13 2009 3:32 PM
rated by 0 users

Can you post a small example config that doesn't work how it should?

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 3

6 Posts
Points 16
rmaxam replied on Fri, Nov 13 2009 4:55 PM
rated by 0 users

Little more than a small example... Below are all the configured access-lists for one of our routers.  (remarks and IPs changed in some cases for privacy)  Only the entries in bold are shown when the 'show group' or 'show all acl' is selected withn editor.  Everything else seems to be ignored. 

Note: the capture below was taken directly from the 'show entire config'.

Thanks- Ron

----------------------------------------------------------------------------------

access-list 101 remark Site A-Crypto
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 101 permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255

access-list 102 remark US to Site B-crypto
access-list 102 permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 102 permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255


access-list 103 remark US to Site C-Crypto
access-list 103 permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
access-list 103 permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255


access-list 110 remark Dynamic NAT List
access-list 110 deny   ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 110 deny   ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 110 deny   ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 110 deny   ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 110 deny   ip host 10.100.0.50 any
access-list 110 permit ip 10.8.0.0 0.0.0.255 any
access-list 110 permit udp host 10.7.1.2 any eq ntp
access-list 110 permit ip 10.42.0.0 0.0.3.255 any
access-list 110 permit ip 10.0.0.0 0.0.3.255 any
access-list 110 permit ip 10.100.0.0 0.0.0.255 any
access-list 110 permit ip 10.200.0.0 0.0.0.255 any
access-list 110 permit ip host 10.7.0.3 any

access-list 111 remark Static NAT List
access-list 111 deny   ip host 10.7.0.2 192.168.204.0 0.0.0.255
access-list 111 deny   ip host 10.7.0.1 192.168.204.0 0.0.0.255
access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 111 permit ip host 10.7.0.2 any
access-list 111 permit ip 10.9.0.0 0.0.0.255 any
access-list 111 permit ip 10.10.0.0 0.0.0.255 any

access-list 112 remark Inside to Site B NAT
access-list 112 permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 112 permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 112 permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 112 deny   ip any any

access-list 120 remark INBOUND RULES
access-list 120 remark P2P-VPN
access-list 120 permit esp any any
access-list 120 permit udp any eq isakmp any eq isakmp
access-list 120 remark ICMP_&_Established-TCP
access-list 120 permit tcp any any established
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 deny   icmp any host 1.1.1.1 packet-too-big
access-list 120 permit icmp any any ttl-exceeded
access-list 120 permit icmp any any unreachable
access-list 120 remark VPN
access-list 120 permit udp any host 1.1.1.1 eq 1194
access-list 120 permit tcp any host 1.1.1.1 eq 22
access-list 120 remark SCP
access-list 120 permit tcp any host 1.1.1.1 eq 22
access-list 120 remark Jabber
access-list 120 permit tcp any host 1.1.1.1  eq 5222
access-list 120 permit tcp any host 1.1.1.1 eq 5269
access-list 120 remark Mail
access-list 120 permit tcp any host 1.1.1.1 eq pop3
access-list 120 permit tcp any host 1.1.1.1 eq smtp
access-list 120 remark Tyrus
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 permit tcp any host 1.1.1.1 eq pop3
access-list 120 permit tcp any host 1.1.1.1 eq smtp
access-list 120 permit tcp any host 1.1.1.1 eq 995
access-list 120 permit tcp any host 1.1.1.1 eq 587
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 remark Web
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 remark Cumulus
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 permit tcp any host 1.1.1.1 eq www
access-list 120 remark Video Conference
access-list 120 permit tcp any host 1.1.1.1 eq 1720
access-list 120 permit tcp any host 1.1.1.1 range 3230 3235
access-list 120 permit udp any host 1.1.1.1 eq 1720
access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719
access-list 120 permit udp any host 1.1.1.1 range 3230 3253
access-list 120 permit udp any host 1.1.1.1 eq ntp
access-list 120 remark tsg
access-list 120 permit tcp any host 1.1.1.1 eq 443


access-list 180 remark WAN Fail Test
access-list 180 deny   ip host 10.7.0.2 host 1.1.1.1
access-list 180 deny   icmp host 10.7.0.2 host 1.1.1.1 echo
access-list 180 permit ip any any

access-list 190 remark to VoIP
access-list 190 permit udp any any range 49152 49248
access-list 190 permit tcp any any range 1719 1720
access-list 190 permit tcp any any eq 10025
access-list 190 permit udp any any eq 10025

  • | Post Points: 3

263 Posts
Points 1,206
SolarWinds Employee
floyd.may replied on Mon, Nov 16 2009 10:36 AM
rated by 0 users

Looking through this now.  Thanks for your patience!

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 1

263 Posts
Points 1,206
SolarWinds Employee
floyd.may replied on Mon, Nov 16 2009 11:37 AM
rated by 0 users

Can you help me understand what this line is doing?

access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719

The Cisco devices I'm testing against don't like it.

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 3

6 Posts
Points 16
rmaxam replied on Mon, Nov 16 2009 12:01 PM
rated by 0 users

Yes... sorry, that was a typo from my 'editing' of the ACL prior to posting.

The line should look like:

access-list 120 permit udp any host 1.1.1.1 eq 1719

where 1.1.1.1 would otherwise represent a public IP on our network.  Thanks for your help!

Ron

  • | Post Points: 3

263 Posts
Points 1,206
SolarWinds Employee
Answered (Verified) floyd.may replied on Mon, Nov 16 2009 1:09 PM
rated by 0 users
grammar_files.zip
Verified by rmaxam

I have a fix for you.  The attached zip file has a couple of XML files in it, Grammar.xml and extended_acl.xml.  Replace the files at C:\Program Files\SolarWinds\Toolset\Grammar\ with the attached files.  Be sure to back up the existing files, and restart Workspace Studio.  Please post back and let me know if this gives you the behavior you expect.

Thanks!

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 23

6 Posts
Points 16
rmaxam replied on Mon, Nov 16 2009 1:24 PM
rated by 0 users

Thanks Floyd,  I'll take a look at it.  Would this 'fix' perhaps also resolve a similar issue with 'named' acls?

I didn't send you a sample of that scenario, but I did mention it briefly in my initial post.   - Regards,  Ron

  • | Post Points: 3

263 Posts
Points 1,206
SolarWinds Employee
floyd.may replied on Mon, Nov 16 2009 2:52 PM
rated by 0 users

My suspicion is that the same thing that was preventing recognition of the posted sample ACLs is responsible for the named ACLs not being recognized.  If not, let me know (preferably with a sample =) ) and I'll investigate further.

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 3

6 Posts
Points 16
rmaxam replied on Mon, Nov 16 2009 3:15 PM
rated by 0 users

Initial testing using the 'numbered' acl method appears to be working now.  However, when the same access-lists are configured as named, there's still some issues. 

Below is a <show all acl text> for the same ACLs, but as named ACLs... most of the output is missing:

-----------------------------------------snip---------------------------------------

ip access-list extended canada-crypto
ip access-list extended donorware-crypto
 permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
 permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
ip access-list extended donorware-nat
ip access-list extended dynamic-nat
ip access-list extended inbound-rules
ip access-list extended india-crypto
ip access-list extended static-nat
ip access-list extended test-tcp
 deny   ip host 10.7.0.2 host 1.1.1.1
 deny   icmp host 10.7.0.2 host 1.1.1.1 echo
 permit ip any any
ip access-list extended voip

--------------------------------------------- snip -----------------------------------------

And the configuration is:

ip access-list extended canada-crypto
 remark US to Canada
 permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
 permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
 permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
 permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
ip access-list extended donorware-crypto
 permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
 permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
ip access-list extended donorware-nat
 remark Private Vendor NAT
 permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
 permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
 permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
 deny   ip any any
ip access-list extended dynamic-nat
 remark Dynamic NAT List
 deny   ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
 deny   ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
 deny   ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
 deny   ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
 deny   ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
 deny   ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
 deny   ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
 deny   ip host 10.100.0.50 any
 permit ip 10.8.0.0 0.0.0.255 any
 permit udp host 10.7.1.2 any eq ntp
 permit ip 10.42.0.0 0.0.3.255 any
 permit ip 10.0.0.0 0.0.3.255 any
 permit ip 10.100.0.0 0.0.0.255 any
 permit ip 10.200.0.0 0.0.0.255 any
 permit ip host 10.7.0.3 any
ip access-list extended inbound-rules
 remark P2P-VPN
 permit esp any any
 permit udp any eq isakmp any eq isakmp
 remark ICMP_&_Established-TCP
 permit tcp any any established
 permit icmp any any echo
 permit icmp any any echo-reply
 deny   icmp any host 1.1.1.1 packet-too-big
 permit icmp any any ttl-exceeded
 permit icmp any any unreachable
 remark VPN
 permit udp any host 1.1.1.1 eq 1194
 permit tcp any host 1.1.1.1 eq 22
 remark SCP
 permit tcp any host 1.1.1.1 eq 22
 remark Jabber
 permit tcp any host 1.1.1.1 eq 5222
 permit tcp any host 1.1.1.1 eq 5269
 remark Mail
 permit tcp any host 1.1.1.1 eq pop3
 permit tcp any host 1.1.1.1 eq smtp
 remark host A
 permit tcp any host 1.1.1.1 eq 443
 permit tcp any host 1.1.1.1 eq pop3
 permit tcp any host 1.1.1.1 eq smtp
 permit tcp any host 1.1.1.1 eq 995
 permit tcp any host 1.1.1.1 eq 587
 permit tcp any host 1.1.1.1 eq 443
 remark Webnet
 permit tcp any host 1.1.1.1 eq 443
 remark Cumulus
 permit tcp any host 1.1.1.1 eq 443
 permit tcp any host 1.1.1.1 eq www
 remark Conference
 permit tcp any host 1.1.1.1 eq 1720
 permit tcp any host 1.1.1.1 range 3230 3235
 permit udp any host 1.1.1.1 eq 1720
 permit udp any host 1.1.1.1 eq 1719
 permit udp any host 1.1.1.1 range 3230 3253
 permit udp any host 1.1.1.1 eq ntp
 permit tcp any host 1.1.1.1 eq 443
ip access-list extended india-crypto
 remark US to India
 permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
 permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
ip access-list extended static-nat
 remark static-nat List
 deny   ip host 10.7.0.2 192.168.204.0 0.0.0.255
 deny   ip host 10.7.0.1 192.168.204.0 0.0.0.255
 deny   ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
 deny   ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
 deny   ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
 permit ip host 10.7.0.2 any
 permit ip 10.9.0.0 0.0.0.255 any
 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended test-tcp
 deny   ip host 10.7.0.2 host 1.1.1.1
 deny   icmp host 10.7.0.2 host 1.1.1.1 echo
 permit ip any any
ip access-list extended voip
 remark to VoIP
 permit udp any any range 49152 49248
 permit tcp any any range 1719 1720
 permit tcp any any eq 10025
 permit udp any any eq 10025

 

  • | Post Points: 3

263 Posts
Points 1,206
SolarWinds Employee
Answered (Verified) floyd.may replied on Mon, Nov 16 2009 3:43 PM
rated by 0 users
Grammar.zip
Verified by rmaxam

Found the problem.  New file attached.  Replace same as before.

Floyd May
Toolset Software Engineer
SolarWinds

  • | Post Points: 23

6 Posts
Points 16
rmaxam replied on Mon, Nov 16 2009 4:08 PM
rated by 0 users

Floyd - That did the trick.  Thanks for your help in resolving this!   -Ron

  • | Post Points: 1
Page 1 of 1 (12 items) | RSS

© 2003 - 2010 SolarWinds, Inc. All Rights Reserved.

Who is SolarWinds?

SolarWinds is rewriting the rules for how companies manage their networks. Guided by a global community of network engineers, SolarWinds develops simple and powerful network management software and network monitoring software for networks of all sizes. SolarWinds also offers a network certification program to become a SolarWinds Certified Professional (SCP).

What is thwack?

thwack, SolarWinds online community site, was designed by network engineers, for network engineers. thwack is a vibrant, growing community of more than 30,000 IT pros who share a passion for technology.

Explore Resources, Answers, Templates, and Advice

Download Free Networking Tools

Learn More About SolarWinds Products