[c-nsp] ACL Analysers

Sam Stickland sam_mailinglists at spacething.org
Thu Jun 1 06:52:58 EDT 2006


Hi all,

I've had the response below, which looks like they'll work really well with
IOS ACLs. Does anybody know of anything that will work with PIX ACLs?

If not, it doesn't look like it would be too much effort to write a script
that would convert PIX ACLs to IOS ACLs (reverse the subnet mask, and expand
the object groups).

S
________________________________________
From: [NAME REMOVED AS RECEIVED OFF LIST] 
Sent: 30 May 2006 15:35
To: Sam Stickland
Subject: Re: [c-nsp] ACL Analysers

I've found Kim Oldfield's scripts very useful for doing exactly what you
need.
 
http://oldfield.wattle.id.au/programs/cisco/

 
On 5/30/06, Sam Stickland <sam_mailinglists at spacething.org> wrote: 
Hi,

I'm after a tool (GPL preferred, but commercial is OK) that can take PIX
style ACLs (IOS style ACLs would be an added bonus) and let me know: 

a) Which rules are in conflict/redundant (eg. "Line 13: 'permit tcp host
1.2.3.4 any' is obscured by Line 34: 'permit ip any any'")

b) Which lines in an ACL would be matched, given a particular 
source/destination pair.

Sam

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





More information about the cisco-nsp mailing list