05-24-2012 03:18 AM - edited 02-21-2020 04:39 AM
Hi All,
I have recently started in a new comany as its senior network engineer and have inherited a mess of Access Lists on Cat 6513s / ASAs and PIXs. Some of the ACLs on the 6513 have over 1000+ lines plus each and there are loads of them, and I know for a fact that they contain duplicate entries or entries that are negated by a ip any any or similar in the middle of the ACL.
So I was wondering if anybody knows of a useful available tool that will take an imported ACL by a text file for instance, analyse that ACL and highlight any duplicate or negated ACL Entries. This would save me a headache from sifting through each ACL line by line. one ACL for example has 3000+ lines.
Any Help would be appreciated.
Thanks
05-29-2012 03:48 AM
Hi
most useful available tool is 2 notepads on 2 different monitors
dont forget to rate post
05-31-2012 03:05 AM
Check out this Page, there are some Analyzing Software listed:
http://www.filebuzz.com/findsoftware/Access_List_Analyzer/1.html
Or u can try Notepad++ there you can with a compare Plugin wonderful compare things.
11-14-2017 09:16 AM
I feel your pain. You might try the GUI (ASDM) to see if that helps parse through the hundreds of lines of rules. It will take a while regardless, but this method might speed up the process as you can click on objects to gather info as opposed to the CLI method. I'm a CLI guy, but sometimes the GUI is faster.
04-26-2018 10:39 PM
https://www.youtube.com/watch?v=G-Pk4mt-3eg
It's my program. Beta version.
So far, only in Russian.
If it is in demand, I will translate it into English in the future.
04-27-2018 07:54 AM
Cisco Security Manager and Tufin come to mind.
https://www.tufin.com/solutions/firewall-optimization
SolarWinds recently discontinued Firewall Security Manager (former Athena Firepac product) which also did a great job at this.
07-27-2019 05:29 PM - edited 07-27-2019 05:31 PM
I recently released "Network Mom ACL Analyzer" in the MacOS 10.14 App Store.
It supports analysis of IPv4 security ACLs for the following OS flavors:
1) IOS (without object-groups)
2) IOS-XR (with object-groups)
3) NX-OS (with object-groups)
4) ASA (with network object-groups, but not service object-groups)
It has the following features:
1) ACL syntax check
2) Reports wildcard bits that do not match a proper subnet as an error
3) Warns about CIDRs that are not on a bit boundary
4) Analyzes a specific TCP/UDP socket against an ACL to find lines that match
5) Duplicate ACL detection! Finds lines in the ACL which are a strict superset of later lines.
It can perform a permit/deny analysis of a specific socket against a 50,000-line ACL in under 20 seconds (reasonably sized ACLs are analyzed "instantly").
Duplicate ACL detection takes 3 seconds (on a 2013 iMac) for a 2,000-line ACL. As the number of lines doubles the processing time quadruples (it analyzed a 10,000-line ACL for duplicates in a couple of minutes).
For the security of your ACLs, the tool passed Apple app review and uses Apple's app sandbox and hardened runtime features. The analyzer is not allowed to make or receive network connections. It does not save ACL information between application runs. It can only open files outside the sandbox that the user specifies. Files are always opened read-only. The tool is implemented in the Swift programming language.
Darrell
CCIE Emeritus #8302
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide