I have recently started in a new comany as its senior network engineer and have inherited a mess of Access Lists on Cat 6513s / ASAs and PIXs. Some of the ACLs on the 6513 have over 1000+ lines plus each and there are loads of them, and I know for a fact that they contain duplicate entries or entries that are negated by a ip any any or similar in the middle of the ACL.
So I was wondering if anybody knows of a useful available tool that will take an imported ACL by a text file for instance, analyse that ACL and highlight any duplicate or negated ACL Entries. This would save me a headache from sifting through each ACL line by line. one ACL for example has 3000+ lines.
Any Help would be appreciated.
Check out this Page, there are some Analyzing Software listed:
Or u can try Notepad++ there you can with a compare Plugin wonderful compare things.
I feel your pain. You might try the GUI (ASDM) to see if that helps parse through the hundreds of lines of rules. It will take a while regardless, but this method might speed up the process as you can click on objects to gather info as opposed to the CLI method. I'm a CLI guy, but sometimes the GUI is faster.
It's my program. Beta version.
So far, only in Russian.
If it is in demand, I will translate it into English in the future.
Cisco Security Manager and Tufin come to mind.
SolarWinds recently discontinued Firewall Security Manager (former Athena Firepac product) which also did a great job at this.
I recently released "Network Mom ACL Analyzer" in the MacOS 10.14 App Store.
It supports analysis of IPv4 security ACLs for the following OS flavors:
1) IOS (without object-groups)
2) IOS-XR (with object-groups)
3) NX-OS (with object-groups)
4) ASA (with network object-groups, but not service object-groups)
It has the following features:
1) ACL syntax check
2) Reports wildcard bits that do not match a proper subnet as an error
3) Warns about CIDRs that are not on a bit boundary
4) Analyzes a specific TCP/UDP socket against an ACL to find lines that match
5) Duplicate ACL detection! Finds lines in the ACL which are a strict superset of later lines.
It can perform a permit/deny analysis of a specific socket against a 50,000-line ACL in under 20 seconds (reasonably sized ACLs are analyzed "instantly").
Duplicate ACL detection takes 3 seconds (on a 2013 iMac) for a 2,000-line ACL. As the number of lines doubles the processing time quadruples (it analyzed a 10,000-line ACL for duplicates in a couple of minutes).
For the security of your ACLs, the tool passed Apple app review and uses Apple's app sandbox and hardened runtime features. The analyzer is not allowed to make or receive network connections. It does not save ACL information between application runs. It can only open files outside the sandbox that the user specifies. Files are always opened read-only. The tool is implemented in the Swift programming language.
CCIE Emeritus #8302