This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

After upgrading to 4.10... I saw the new Cisco ACL editor gadget and was curious to give it a try.

First thing I observed is that it doesn't appear to support 'named' ACL groups - No acl entries are displayed when I try to show/filter on a specific group name.

Secondly.. in those router configurations where I am using numbered access lists, the utility seems to 'miss' some of the groups that I have defined. The acl group(s) in question, don't even appear in the 'show group' list.  And in other cases it will display a configured group, but it doesn't list out all of its specific ACL entries.

Was curious to know if anyone else is experiencing the same kind behavior?

Thanks

  • Can you post a small example config that doesn't work how it should?

  • Little more than a small example... Below are all the configured access-lists for one of our routers.  (remarks and IPs changed in some cases for privacy)  Only the entries in bold are shown when the 'show group' or 'show all acl' is selected withn editor.  Everything else seems to be ignored. 

    Note: the capture below was taken directly from the 'show entire config'.

    Thanks- Ron

    ----------------------------------------------------------------------------------

    access-list 101 remark Site A-Crypto
    access-list 101 permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
    access-list 101 permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
    access-list 101 permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 101 permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255

    access-list 102 remark US to Site B-crypto
    access-list 102 permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
    access-list 102 permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255


    access-list 103 remark US to Site C-Crypto
    access-list 103 permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
    access-list 103 permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255


    access-list 110 remark Dynamic NAT List
    access-list 110 deny   ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
    access-list 110 deny   ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
    access-list 110 deny   ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
    access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 110 deny   ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
    access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
    access-list 110 deny   ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
    access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
    access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
    access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
    access-list 110 deny   ip host 10.100.0.50 any
    access-list 110 permit ip 10.8.0.0 0.0.0.255 any
    access-list 110 permit udp host 10.7.1.2 any eq ntp
    access-list 110 permit ip 10.42.0.0 0.0.3.255 any
    access-list 110 permit ip 10.0.0.0 0.0.3.255 any
    access-list 110 permit ip 10.100.0.0 0.0.0.255 any
    access-list 110 permit ip 10.200.0.0 0.0.0.255 any
    access-list 110 permit ip host 10.7.0.3 any

    access-list 111 remark Static NAT List
    access-list 111 deny   ip host 10.7.0.2 192.168.204.0 0.0.0.255
    access-list 111 deny   ip host 10.7.0.1 192.168.204.0 0.0.0.255
    access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
    access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
    access-list 111 permit ip host 10.7.0.2 any
    access-list 111 permit ip 10.9.0.0 0.0.0.255 any
    access-list 111 permit ip 10.10.0.0 0.0.0.255 any

    access-list 112 remark Inside to Site B NAT
    access-list 112 permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
    access-list 112 permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
    access-list 112 permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
    access-list 112 deny   ip any any

    access-list 120 remark INBOUND RULES
    access-list 120 remark P2P-VPN
    access-list 120 permit esp any any
    access-list 120 permit udp any eq isakmp any eq isakmp
    access-list 120 remark ICMP_&_Established-TCP
    access-list 120 permit tcp any any established
    access-list 120 permit icmp any any echo
    access-list 120 permit icmp any any echo-reply
    access-list 120 deny   icmp any host 1.1.1.1 packet-too-big
    access-list 120 permit icmp any any ttl-exceeded
    access-list 120 permit icmp any any unreachable
    access-list 120 remark VPN
    access-list 120 permit udp any host 1.1.1.1 eq 1194
    access-list 120 permit tcp any host 1.1.1.1 eq 22
    access-list 120 remark SCP
    access-list 120 permit tcp any host 1.1.1.1 eq 22
    access-list 120 remark Jabber
    access-list 120 permit tcp any host 1.1.1.1  eq 5222
    access-list 120 permit tcp any host 1.1.1.1 eq 5269
    access-list 120 remark Mail
    access-list 120 permit tcp any host 1.1.1.1 eq pop3
    access-list 120 permit tcp any host 1.1.1.1 eq smtp
    access-list 120 remark Tyrus
    access-list 120 permit tcp any host 1.1.1.1 eq 443
    access-list 120 permit tcp any host 1.1.1.1 eq pop3
    access-list 120 permit tcp any host 1.1.1.1 eq smtp
    access-list 120 permit tcp any host 1.1.1.1 eq 995
    access-list 120 permit tcp any host 1.1.1.1 eq 587
    access-list 120 permit tcp any host 1.1.1.1 eq 443
    access-list 120 remark Web
    access-list 120 permit tcp any host 1.1.1.1 eq 443
    access-list 120 remark Cumulus
    access-list 120 permit tcp any host 1.1.1.1 eq 443
    access-list 120 permit tcp any host 1.1.1.1 eq www
    access-list 120 remark Video Conference
    access-list 120 permit tcp any host 1.1.1.1 eq 1720
    access-list 120 permit tcp any host 1.1.1.1 range 3230 3235
    access-list 120 permit udp any host 1.1.1.1 eq 1720
    access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719
    access-list 120 permit udp any host 1.1.1.1 range 3230 3253
    access-list 120 permit udp any host 1.1.1.1 eq ntp
    access-list 120 remark tsg
    access-list 120 permit tcp any host 1.1.1.1 eq 443


    access-list 180 remark WAN Fail Test
    access-list 180 deny   ip host 10.7.0.2 host 1.1.1.1
    access-list 180 deny   icmp host 10.7.0.2 host 1.1.1.1 echo
    access-list 180 permit ip any any

    access-list 190 remark to VoIP
    access-list 190 permit udp any any range 49152 49248
    access-list 190 permit tcp any any range 1719 1720
    access-list 190 permit tcp any any eq 10025
    access-list 190 permit udp any any eq 10025

  • Looking through this now.  Thanks for your patience!

  • Can you help me understand what this line is doing?

    access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719

    The Cisco devices I'm testing against don't like it.

  • Yes... sorry, that was a typo from my 'editing' of the ACL prior to posting.

    The line should look like:

    access-list 120 permit udp any host 1.1.1.1 eq 1719

    where 1.1.1.1 would otherwise represent a public IP on our network.  Thanks for your help!

    Ron

  • I have a fix for you.  The attached zip file has a couple of XML files in it, Grammar.xml and extended_acl.xml.  Replace the files at C:\Program Files\SolarWinds\Toolset\Grammar\ with the attached files.  Be sure to back up the existing files, and restart Workspace Studio.  Please post back and let me know if this gives you the behavior you expect.

    Thanks!

    grammar_files.zip
  • Thanks Floyd,  I'll take a look at it.  Would this 'fix' perhaps also resolve a similar issue with 'named' acls?

    I didn't send you a sample of that scenario, but I did mention it briefly in my initial post.   - Regards,  Ron

  • My suspicion is that the same thing that was preventing recognition of the posted sample ACLs is responsible for the named ACLs not being recognized.  If not, let me know (preferably with a sample =) ) and I'll investigate further.

  • Initial testing using the 'numbered' acl method appears to be working now.  However, when the same access-lists are configured as named, there's still some issues. 

    Below is a <show all acl text> for the same ACLs, but as named ACLs... most of the output is missing:

    -----------------------------------------snip---------------------------------------

    ip access-list extended canada-crypto
    ip access-list extended donorware-crypto
     permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
     permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
    ip access-list extended donorware-nat
    ip access-list extended dynamic-nat
    ip access-list extended inbound-rules
    ip access-list extended india-crypto
    ip access-list extended static-nat
    ip access-list extended test-tcp
     deny   ip host 10.7.0.2 host 1.1.1.1
     deny   icmp host 10.7.0.2 host 1.1.1.1 echo
     permit ip any any
    ip access-list extended voip

    --------------------------------------------- snip -----------------------------------------

    And the configuration is:

    ip access-list extended canada-crypto
     remark US to Canada
     permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
     permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
     permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
     permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
     permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
     permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
    ip access-list extended donorware-crypto
     permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
     permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
    ip access-list extended donorware-nat
     remark Private Vendor NAT
     permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
     permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
     permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
     deny   ip any any
    ip access-list extended dynamic-nat
     remark Dynamic NAT List
     deny   ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
     deny   ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
     deny   ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
     deny   ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
     deny   ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
     deny   ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
     deny   ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
     deny   ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
     deny   ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
     deny   ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
     deny   ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
     deny   ip host 10.100.0.50 any
     permit ip 10.8.0.0 0.0.0.255 any
     permit udp host 10.7.1.2 any eq ntp
     permit ip 10.42.0.0 0.0.3.255 any
     permit ip 10.0.0.0 0.0.3.255 any
     permit ip 10.100.0.0 0.0.0.255 any
     permit ip 10.200.0.0 0.0.0.255 any
     permit ip host 10.7.0.3 any
    ip access-list extended inbound-rules
     remark P2P-VPN
     permit esp any any
     permit udp any eq isakmp any eq isakmp
     remark ICMP_&_Established-TCP
     permit tcp any any established
     permit icmp any any echo
     permit icmp any any echo-reply
     deny   icmp any host 1.1.1.1 packet-too-big
     permit icmp any any ttl-exceeded
     permit icmp any any unreachable
     remark VPN
     permit udp any host 1.1.1.1 eq 1194
     permit tcp any host 1.1.1.1 eq 22
     remark SCP
     permit tcp any host 1.1.1.1 eq 22
     remark Jabber
     permit tcp any host 1.1.1.1 eq 5222
     permit tcp any host 1.1.1.1 eq 5269
     remark Mail
     permit tcp any host 1.1.1.1 eq pop3
     permit tcp any host 1.1.1.1 eq smtp
     remark host A
     permit tcp any host 1.1.1.1 eq 443
     permit tcp any host 1.1.1.1 eq pop3
     permit tcp any host 1.1.1.1 eq smtp
     permit tcp any host 1.1.1.1 eq 995
     permit tcp any host 1.1.1.1 eq 587
     permit tcp any host 1.1.1.1 eq 443
     remark Webnet
     permit tcp any host 1.1.1.1 eq 443
     remark Cumulus
     permit tcp any host 1.1.1.1 eq 443
     permit tcp any host 1.1.1.1 eq www
     remark Conference
     permit tcp any host 1.1.1.1 eq 1720
     permit tcp any host 1.1.1.1 range 3230 3235
     permit udp any host 1.1.1.1 eq 1720
     permit udp any host 1.1.1.1 eq 1719
     permit udp any host 1.1.1.1 range 3230 3253
     permit udp any host 1.1.1.1 eq ntp
     permit tcp any host 1.1.1.1 eq 443
    ip access-list extended india-crypto
     remark US to India
     permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
     permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
    ip access-list extended static-nat
     remark static-nat List
     deny   ip host 10.7.0.2 192.168.204.0 0.0.0.255
     deny   ip host 10.7.0.1 192.168.204.0 0.0.0.255
     deny   ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
     deny   ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
     deny   ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
     permit ip host 10.7.0.2 any
     permit ip 10.9.0.0 0.0.0.255 any
     permit ip 10.10.0.0 0.0.0.255 any
    ip access-list extended test-tcp
     deny   ip host 10.7.0.2 host 1.1.1.1
     deny   icmp host 10.7.0.2 host 1.1.1.1 echo
     permit ip any any
    ip access-list extended voip
     remark to VoIP
     permit udp any any range 49152 49248
     permit tcp any any range 1719 1720
     permit tcp any any eq 10025
     permit udp any any eq 10025

  • Found the problem.  New file attached.  Replace same as before.

    Grammar.zip