12 Replies Latest reply on Aug 29, 2012 6:40 PM by fcaron

    Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

    rmaxam

      After upgrading to 4.10... I saw the new Cisco ACL editor gadget and was curious to give it a try.

      First thing I observed is that it doesn't appear to support 'named' ACL groups - No acl entries are displayed when I try to show/filter on a specific group name.

      Secondly.. in those router configurations where I am using numbered access lists, the utility seems to 'miss' some of the groups that I have defined. The acl group(s) in question, don't even appear in the 'show group' list.  And in other cases it will display a configured group, but it doesn't list out all of its specific ACL entries.

      Was curious to know if anyone else is experiencing the same kind behavior?

      Thanks

        • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

          Can you post a small example config that doesn't work how it should?

            • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
              rmaxam

              Little more than a small example... Below are all the configured access-lists for one of our routers.  (remarks and IPs changed in some cases for privacy)  Only the entries in bold are shown when the 'show group' or 'show all acl' is selected withn editor.  Everything else seems to be ignored. 

              Note: the capture below was taken directly from the 'show entire config'.

              Thanks- Ron

              ----------------------------------------------------------------------------------

              access-list 101 remark Site A-Crypto
              access-list 101 permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
              access-list 101 permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
              access-list 101 permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
              access-list 101 permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
              access-list 101 permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
              access-list 101 permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255

              access-list 102 remark US to Site B-crypto
              access-list 102 permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
              access-list 102 permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255


              access-list 103 remark US to Site C-Crypto
              access-list 103 permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
              access-list 103 permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255


              access-list 110 remark Dynamic NAT List
              access-list 110 deny   ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
              access-list 110 deny   ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
              access-list 110 deny   ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
              access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
              access-list 110 deny   ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
              access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
              access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
              access-list 110 deny   ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
              access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
              access-list 110 deny   ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
              access-list 110 deny   ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
              access-list 110 deny   ip host 10.100.0.50 any
              access-list 110 permit ip 10.8.0.0 0.0.0.255 any
              access-list 110 permit udp host 10.7.1.2 any eq ntp
              access-list 110 permit ip 10.42.0.0 0.0.3.255 any
              access-list 110 permit ip 10.0.0.0 0.0.3.255 any
              access-list 110 permit ip 10.100.0.0 0.0.0.255 any
              access-list 110 permit ip 10.200.0.0 0.0.0.255 any
              access-list 110 permit ip host 10.7.0.3 any

              access-list 111 remark Static NAT List
              access-list 111 deny   ip host 10.7.0.2 192.168.204.0 0.0.0.255
              access-list 111 deny   ip host 10.7.0.1 192.168.204.0 0.0.0.255
              access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
              access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
              access-list 111 deny   ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
              access-list 111 permit ip host 10.7.0.2 any
              access-list 111 permit ip 10.9.0.0 0.0.0.255 any
              access-list 111 permit ip 10.10.0.0 0.0.0.255 any

              access-list 112 remark Inside to Site B NAT
              access-list 112 permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
              access-list 112 permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
              access-list 112 permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
              access-list 112 deny   ip any any

              access-list 120 remark INBOUND RULES
              access-list 120 remark P2P-VPN
              access-list 120 permit esp any any
              access-list 120 permit udp any eq isakmp any eq isakmp
              access-list 120 remark ICMP_&_Established-TCP
              access-list 120 permit tcp any any established
              access-list 120 permit icmp any any echo
              access-list 120 permit icmp any any echo-reply
              access-list 120 deny   icmp any host 1.1.1.1 packet-too-big
              access-list 120 permit icmp any any ttl-exceeded
              access-list 120 permit icmp any any unreachable
              access-list 120 remark VPN
              access-list 120 permit udp any host 1.1.1.1 eq 1194
              access-list 120 permit tcp any host 1.1.1.1 eq 22
              access-list 120 remark SCP
              access-list 120 permit tcp any host 1.1.1.1 eq 22
              access-list 120 remark Jabber
              access-list 120 permit tcp any host 1.1.1.1  eq 5222
              access-list 120 permit tcp any host 1.1.1.1 eq 5269
              access-list 120 remark Mail
              access-list 120 permit tcp any host 1.1.1.1 eq pop3
              access-list 120 permit tcp any host 1.1.1.1 eq smtp
              access-list 120 remark Tyrus
              access-list 120 permit tcp any host 1.1.1.1 eq 443
              access-list 120 permit tcp any host 1.1.1.1 eq pop3
              access-list 120 permit tcp any host 1.1.1.1 eq smtp
              access-list 120 permit tcp any host 1.1.1.1 eq 995
              access-list 120 permit tcp any host 1.1.1.1 eq 587
              access-list 120 permit tcp any host 1.1.1.1 eq 443
              access-list 120 remark Web
              access-list 120 permit tcp any host 1.1.1.1 eq 443
              access-list 120 remark Cumulus
              access-list 120 permit tcp any host 1.1.1.1 eq 443
              access-list 120 permit tcp any host 1.1.1.1 eq www
              access-list 120 remark Video Conference
              access-list 120 permit tcp any host 1.1.1.1 eq 1720
              access-list 120 permit tcp any host 1.1.1.1 range 3230 3235
              access-list 120 permit udp any host 1.1.1.1 eq 1720
              access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719
              access-list 120 permit udp any host 1.1.1.1 range 3230 3253
              access-list 120 permit udp any host 1.1.1.1 eq ntp
              access-list 120 remark tsg
              access-list 120 permit tcp any host 1.1.1.1 eq 443


              access-list 180 remark WAN Fail Test
              access-list 180 deny   ip host 10.7.0.2 host 1.1.1.1
              access-list 180 deny   icmp host 10.7.0.2 host 1.1.1.1 echo
              access-list 180 permit ip any any

              access-list 190 remark to VoIP
              access-list 190 permit udp any any range 49152 49248
              access-list 190 permit tcp any any range 1719 1720
              access-list 190 permit tcp any any eq 10025
              access-list 190 permit udp any any eq 10025

                • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

                  Looking through this now.  Thanks for your patience!

                    • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

                      Can you help me understand what this line is doing?

                      access-list 120 permit udp any host 1.1.1.1 170.25.140 eq 1719

                      The Cisco devices I'm testing against don't like it.

                        • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
                          rmaxam

                          Yes... sorry, that was a typo from my 'editing' of the ACL prior to posting.

                          The line should look like:

                          access-list 120 permit udp any host 1.1.1.1 eq 1719

                          where 1.1.1.1 would otherwise represent a public IP on our network.  Thanks for your help!

                          Ron

                            • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

                              I have a fix for you.  The attached zip file has a couple of XML files in it, Grammar.xml and extended_acl.xml.  Replace the files at C:\Program Files\SolarWinds\Toolset\Grammar\ with the attached files.  Be sure to back up the existing files, and restart Workspace Studio.  Please post back and let me know if this gives you the behavior you expect.

                              Thanks!

                              1 of 1 people found this helpful
                                • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
                                  rmaxam

                                  Thanks Floyd,  I'll take a look at it.  Would this 'fix' perhaps also resolve a similar issue with 'named' acls?

                                  I didn't send you a sample of that scenario, but I did mention it briefly in my initial post.   - Regards,  Ron

                                    • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57

                                      My suspicion is that the same thing that was preventing recognition of the posted sample ACLs is responsible for the named ACLs not being recognized.  If not, let me know (preferably with a sample =) ) and I'll investigate further.

                                        • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
                                          rmaxam

                                          Initial testing using the 'numbered' acl method appears to be working now.  However, when the same access-lists are configured as named, there's still some issues. 

                                          Below is a <show all acl text> for the same ACLs, but as named ACLs... most of the output is missing:

                                          -----------------------------------------snip---------------------------------------

                                          ip access-list extended canada-crypto
                                          ip access-list extended donorware-crypto
                                           permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
                                           permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
                                          ip access-list extended donorware-nat
                                          ip access-list extended dynamic-nat
                                          ip access-list extended inbound-rules
                                          ip access-list extended india-crypto
                                          ip access-list extended static-nat
                                          ip access-list extended test-tcp
                                           deny   ip host 10.7.0.2 host 1.1.1.1
                                           deny   icmp host 10.7.0.2 host 1.1.1.1 echo
                                           permit ip any any
                                          ip access-list extended voip

                                          --------------------------------------------- snip -----------------------------------------

                                          And the configuration is:

                                          ip access-list extended canada-crypto
                                           remark US to Canada
                                           permit ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
                                           permit ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
                                           permit ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
                                           permit ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
                                           permit ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
                                           permit ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
                                          ip access-list extended donorware-crypto
                                           permit ip 10.7.0.0 0.0.0.255 192.168.204.0 0.0.0.255
                                           permit ip 10.9.0.0 0.0.0.255 192.168.204.0 0.0.0.255
                                          ip access-list extended donorware-nat
                                           remark Private Vendor NAT
                                           permit ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
                                           permit ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
                                           permit ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
                                           deny   ip any any
                                          ip access-list extended dynamic-nat
                                           remark Dynamic NAT List
                                           deny   ip 10.200.0.0 0.0.0.255 192.168.204.0 0.0.0.255
                                           deny   ip 10.42.0.0 0.0.3.255 192.168.204.0 0.0.0.255
                                           deny   ip 10.0.0.0 0.0.3.255 192.168.204.0 0.0.0.255
                                           deny   ip 10.200.0.0 0.0.0.255 10.1.0.0 0.0.0.255
                                           deny   ip 10.100.0.0 0.0.0.255 10.1.0.0 0.0.0.255
                                           deny   ip 10.0.0.0 0.0.3.255 10.1.0.0 0.0.0.255
                                           deny   ip 10.200.0.0 0.0.0.255 10.9.1.0 0.0.0.255
                                           deny   ip 10.100.0.0 0.0.0.255 10.9.1.0 0.0.0.255
                                           deny   ip 10.0.0.0 0.0.3.255 10.9.1.0 0.0.0.255
                                           deny   ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
                                           deny   ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
                                           deny   ip host 10.100.0.50 any
                                           permit ip 10.8.0.0 0.0.0.255 any
                                           permit udp host 10.7.1.2 any eq ntp
                                           permit ip 10.42.0.0 0.0.3.255 any
                                           permit ip 10.0.0.0 0.0.3.255 any
                                           permit ip 10.100.0.0 0.0.0.255 any
                                           permit ip 10.200.0.0 0.0.0.255 any
                                           permit ip host 10.7.0.3 any
                                          ip access-list extended inbound-rules
                                           remark P2P-VPN
                                           permit esp any any
                                           permit udp any eq isakmp any eq isakmp
                                           remark ICMP_&_Established-TCP
                                           permit tcp any any established
                                           permit icmp any any echo
                                           permit icmp any any echo-reply
                                           deny   icmp any host 1.1.1.1 packet-too-big
                                           permit icmp any any ttl-exceeded
                                           permit icmp any any unreachable
                                           remark VPN
                                           permit udp any host 1.1.1.1 eq 1194
                                           permit tcp any host 1.1.1.1 eq 22
                                           remark SCP
                                           permit tcp any host 1.1.1.1 eq 22
                                           remark Jabber
                                           permit tcp any host 1.1.1.1 eq 5222
                                           permit tcp any host 1.1.1.1 eq 5269
                                           remark Mail
                                           permit tcp any host 1.1.1.1 eq pop3
                                           permit tcp any host 1.1.1.1 eq smtp
                                           remark host A
                                           permit tcp any host 1.1.1.1 eq 443
                                           permit tcp any host 1.1.1.1 eq pop3
                                           permit tcp any host 1.1.1.1 eq smtp
                                           permit tcp any host 1.1.1.1 eq 995
                                           permit tcp any host 1.1.1.1 eq 587
                                           permit tcp any host 1.1.1.1 eq 443
                                           remark Webnet
                                           permit tcp any host 1.1.1.1 eq 443
                                           remark Cumulus
                                           permit tcp any host 1.1.1.1 eq 443
                                           permit tcp any host 1.1.1.1 eq www
                                           remark Conference
                                           permit tcp any host 1.1.1.1 eq 1720
                                           permit tcp any host 1.1.1.1 range 3230 3235
                                           permit udp any host 1.1.1.1 eq 1720
                                           permit udp any host 1.1.1.1 eq 1719
                                           permit udp any host 1.1.1.1 range 3230 3253
                                           permit udp any host 1.1.1.1 eq ntp
                                           permit tcp any host 1.1.1.1 eq 443
                                          ip access-list extended india-crypto
                                           remark US to India
                                           permit ip 10.0.0.0 0.0.3.255 10.4.0.0 0.0.255.255
                                           permit ip 10.200.0.0 0.0.0.255 10.4.0.0 0.0.255.255
                                          ip access-list extended static-nat
                                           remark static-nat List
                                           deny   ip host 10.7.0.2 192.168.204.0 0.0.0.255
                                           deny   ip host 10.7.0.1 192.168.204.0 0.0.0.255
                                           deny   ip 10.9.0.0 0.0.0.255 10.1.0.0 0.0.0.255
                                           deny   ip 10.9.0.0 0.0.0.255 10.9.1.0 0.0.0.255
                                           deny   ip 10.9.0.0 0.0.0.255 10.4.0.0 0.0.255.255
                                           permit ip host 10.7.0.2 any
                                           permit ip 10.9.0.0 0.0.0.255 any
                                           permit ip 10.10.0.0 0.0.0.255 any
                                          ip access-list extended test-tcp
                                           deny   ip host 10.7.0.2 host 1.1.1.1
                                           deny   icmp host 10.7.0.2 host 1.1.1.1 echo
                                           permit ip any any
                                          ip access-list extended voip
                                           remark to VoIP
                                           permit udp any any range 49152 49248
                                           permit tcp any any range 1719 1720
                                           permit tcp any any eq 10025
                                           permit udp any any eq 10025

                          • Re: Cisco ACL Editor Peculiarities in Workspace Studio 4.10.0.57
                            fcaron

                            We just introduced a new product which should help: FSM, Firewall Security Manager, more here