-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
floyd.may Nov 13, 2009 3:32 PM (in response to rmaxam)Can you post a small example config that doesn't work how it should?
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
rmaxam Nov 13, 2009 4:55 PM (in response to floyd.may)Little more than a small example... Below are all the configured access-lists for one of our routers. (remarks and IPs changed in some cases for privacy) Only the entries in bold are shown when the 'show group' or 'show all acl' is selected withn editor. Everything else seems to be ignored.
Note: the capture below was taken directly from the 'show entire config'.
Thanks- Ron
----------------------------------------------------------------------------------
access-list 101 remark Site A-Crypto
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 101 permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 101 permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255access-list 102 remark US to Site B-crypto
access-list 102 permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 102 permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 103 remark US to Site C-Crypto
access-list 103 permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
access-list 103 permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 110 remark Dynamic NAT List
access-list 110 deny ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 110 deny ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 110 deny ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 110 deny ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
access-list 110 deny ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 110 deny ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
access-list 110 deny ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 110 deny ip host 10.100.0.50 any
access-list 110 permit ip 10.8.0.0 0.0.0.255 any
access-list 110 permit udp host 10.7.1.2 any eq ntp
access-list 110 permit ip 10.42.0.0 0.0.3.255 any
access-list 110 permit ip 10.0.0.0 0.0.3.255 any
access-list 110 permit ip 10.100.0.0 0.0.0.255 any
access-list 110 permit ip 10.200.0.0 0.0.0.255 any
access-list 110 permit ip host 10.7.0.3 anyaccess-list 111 remark Static NAT List
access-list 111 deny ip host 10.7.0.2 192.168.204.0 0.0.0.255
access-list 111 deny ip host 10.7.0.1 192.168.204.0 0.0.0.255
access-list 111 deny ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 111 deny ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
access-list 111 deny ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 111 permit ip host 10.7.0.2 any
access-list 111 permit ip 10.9.0.0 0.0.0.255 any
access-list 111 permit ip 10.10.0.0 0.0.0.255 anyaccess-list 112 remark Inside to Site B NAT
access-list 112 permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 112 permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 112 permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
access-list 112 deny ip any anyaccess-list 120 remark INBOUND RULES
access-list 120 remark P2P-VPN
access-list 120 permit esp any any
access-list 120 permit udp any eq isakmp any eq isakmp
access-list 120 remark ICMP_&_Established-TCP
access-list 120 permit tcp any any established
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 deny icmp any host 1.1.1.1 packet-too-big
access-list 120 permit icmp any any ttl-exceeded
access-list 120 permit icmp any any unreachable
access-list 120 remark VPN
access-list 120 permit udp any host 1.1.1.1 eq 1194
access-list 120 permit tcp any host 1.1.1.1 eq 22
access-list 120 remark SCP
access-list 120 permit tcp any host 1.1.1.1 eq 22
access-list 120 remark Jabber
access-list 120 permit tcp any host 1.1.1.1 eq 5222
access-list 120 permit tcp any host 1.1.1.1 eq 5269
access-list 120 remark Mail
access-list 120 permit tcp any host 1.1.1.1 eq pop3
access-list 120 permit tcp any host 1.1.1.1 eq smtp
access-list 120 remark Tyrus
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 permit tcp any host 1.1.1.1 eq pop3
access-list 120 permit tcp any host 1.1.1.1 eq smtp
access-list 120 permit tcp any host 1.1.1.1 eq 995
access-list 120 permit tcp any host 1.1.1.1 eq 587
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 remark Web
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 remark Cumulus
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 120 permit tcp any host 1.1.1.1 eq www
access-list 120 remark Video Conference
access-list 120 permit tcp any host 1.1.1.1 eq 1720
access-list 120 permit tcp any host 1.1.1.1 range 3230 3235
access-list 120 permit udp any host 1.1.1.1 eq 1720
access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719
access-list 120 permit udp any host 1.1.1.1 range 3230 3253
access-list 120 permit udp any host 1.1.1.1 eq ntp
access-list 120 remark tsg
access-list 120 permit tcp any host 1.1.1.1 eq 443
access-list 180 remark WAN Fail Test
access-list 180 deny ip host 10.7.0.2 host 1.1.1.1
access-list 180 deny icmp host 10.7.0.2 host 1.1.1.1 echo
access-list 180 permit ip any anyaccess-list 190 remark to VoIP
access-list 190 permit udp any any range 49152 49248
access-list 190 permit tcp any any range 1719 1720
access-list 190 permit tcp any any eq 10025
access-list 190 permit udp any any eq 10025-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
floyd.may Nov 16, 2009 10:36 AM (in response to rmaxam)Looking through this now. Thanks for your patience!
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
floyd.may Nov 16, 2009 11:37 AM (in response to floyd.may)Can you help me understand what this line is doing?
access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719
The Cisco devices I'm testing against don't like it.
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
rmaxam Nov 16, 2009 12:01 PM (in response to floyd.may)Yes... sorry, that was a typo from my 'editing' of the ACL prior to posting.
The line should look like:
access-list 120 permit udp any host 1.1.1.1 eq 1719
where 1.1.1.1 would otherwise represent a public IP on our network. Thanks for your help!
Ron
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
floyd.may Nov 16, 2009 1:09 PM (in response to rmaxam)I have a fix for you. The attached zip file has a couple of XML files in it, Grammar.xml and extended_acl.xml. Replace the files at C:\Program Files\SolarWinds\Toolset\Grammar\ with the attached files. Be sure to back up the existing files, and restart Workspace Studio. Please post back and let me know if this gives you the behavior you expect.
Thanks!
-
grammar_files.zip 2.6 KB
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
rmaxam Nov 16, 2009 1:24 PM (in response to floyd.may)Thanks Floyd, I'll take a look at it. Would this 'fix' perhaps also resolve a similar issue with 'named' acls?
I didn't send you a sample of that scenario, but I did mention it briefly in my initial post. - Regards, Ron
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
floyd.may Nov 16, 2009 2:52 PM (in response to rmaxam)My suspicion is that the same thing that was preventing recognition of the posted sample ACLs is responsible for the named ACLs not being recognized. If not, let me know (preferably with a sample =) ) and I'll investigate further.
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
rmaxam Nov 16, 2009 3:15 PM (in response to floyd.may)Initial testing using the 'numbered' acl method appears to be working now. However, when the same access-lists are configured as named, there's still some issues.
Below is a <show all acl text> for the same ACLs, but as named ACLs... most of the output is missing:
-----------------------------------------snip---------------------------------------
ip access-list extended canada-crypto
ip access-list extended donorware-crypto
permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
ip access-list extended donorware-nat
ip access-list extended dynamic-nat
ip access-list extended inbound-rules
ip access-list extended india-crypto
ip access-list extended static-nat
ip access-list extended test-tcp
deny ip host 10.7.0.2 host 1.1.1.1
deny icmp host 10.7.0.2 host 1.1.1.1 echo
permit ip any any
ip access-list extended voip--------------------------------------------- snip -----------------------------------------
And the configuration is:
ip access-list extended canada-crypto
remark US to Canada
permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
ip access-list extended donorware-crypto
permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
ip access-list extended donorware-nat
remark Private Vendor NAT
permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
deny ip any any
ip access-list extended dynamic-nat
remark Dynamic NAT List
deny ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
deny ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
deny ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
deny ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
deny ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
deny ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
deny ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
deny ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
deny ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
deny ip host 10.100.0.50 any
permit ip 10.8.0.0 0.0.0.255 any
permit udp host 10.7.1.2 any eq ntp
permit ip 10.42.0.0 0.0.3.255 any
permit ip 10.0.0.0 0.0.3.255 any
permit ip 10.100.0.0 0.0.0.255 any
permit ip 10.200.0.0 0.0.0.255 any
permit ip host 10.7.0.3 any
ip access-list extended inbound-rules
remark P2P-VPN
permit esp any any
permit udp any eq isakmp any eq isakmp
remark ICMP_&_Established-TCP
permit tcp any any established
permit icmp any any echo
permit icmp any any echo-reply
deny icmp any host 1.1.1.1 packet-too-big
permit icmp any any ttl-exceeded
permit icmp any any unreachable
remark VPN
permit udp any host 1.1.1.1 eq 1194
permit tcp any host 1.1.1.1 eq 22
remark SCP
permit tcp any host 1.1.1.1 eq 22
remark Jabber
permit tcp any host 1.1.1.1 eq 5222
permit tcp any host 1.1.1.1 eq 5269
remark Mail
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq smtp
remark host A
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq pop3
permit tcp any host 1.1.1.1 eq smtp
permit tcp any host 1.1.1.1 eq 995
permit tcp any host 1.1.1.1 eq 587
permit tcp any host 1.1.1.1 eq 443
remark Webnet
permit tcp any host 1.1.1.1 eq 443
remark Cumulus
permit tcp any host 1.1.1.1 eq 443
permit tcp any host 1.1.1.1 eq www
remark Conference
permit tcp any host 1.1.1.1 eq 1720
permit tcp any host 1.1.1.1 range 3230 3235
permit udp any host 1.1.1.1 eq 1720
permit udp any host 1.1.1.1 eq 1719
permit udp any host 1.1.1.1 range 3230 3253
permit udp any host 1.1.1.1 eq ntp
permit tcp any host 1.1.1.1 eq 443
ip access-list extended india-crypto
remark US to India
permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
ip access-list extended static-nat
remark static-nat List
deny ip host 10.7.0.2 192.168.204.0 0.0.0.255
deny ip host 10.7.0.1 192.168.204.0 0.0.0.255
deny ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
deny ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
deny ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
permit ip host 10.7.0.2 any
permit ip 10.9.0.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended test-tcp
deny ip host 10.7.0.2 host 1.1.1.1
deny icmp host 10.7.0.2 host 1.1.1.1 echo
permit ip any any
ip access-list extended voip
remark to VoIP
permit udp any any range 49152 49248
permit tcp any any range 1719 1720
permit tcp any any eq 10025
permit udp any any eq 10025-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
floyd.may Nov 16, 2009 3:43 PM (in response to rmaxam)Found the problem. New file attached. Replace same as before.
-
Grammar.zip 957 bytes
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
rmaxam Nov 16, 2009 4:08 PM (in response to floyd.may)Floyd - That did the trick. Thanks for your help in resolving this! -Ron
-
-
-
-
-
-
-
-
-
-
-
Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
fcaron Aug 29, 2012 6:40 PM (in response to rmaxam)We just introduced a new product which should help: FSM, Firewall Security Manager, more here