Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Best Way to Organize ACL on PIX

Reply
Thread Tools

Best Way to Organize ACL on PIX

 
 
Matt
Guest
Posts: n/a
 
      07-09-2004
Hi,
What's the best way to keep a rather large ACL on a PIX organized? It's
quickly becoming DIS-Organzied as we add additional rules and things are
very hard to keep straight. Is there a way to put comments in?
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-09-2004
In article <(E-Mail Removed)>, Matt <(E-Mail Removed)> wrote:
:What's the best way to keep a rather large ACL on a PIX organized? It's
:quickly becoming DIS-Organzied as we add additional rules and things are
:very hard to keep straight. Is there a way to put comments in?

Two forms of comments are normally available:

1) Within an access-list, you can use a "remark" 'up to 100 characters
in length'. I don't know if it's still an issue, but it used to be the
case that your remarks had to all be unique, as otherwise the PIX
would detect the second line as being a duplicate and would eliminate it.

2) For each object-group, you can add a "description".

If you are not using object-groups now, then I recommend that you
start: the grouping abilities they give can really help clean up
a configuration.


At my site, we use a third, unsupported mechanism. What we do is
treat a file on a tftp server as being the "master" configuration
file, and we sprinkle comments through that liberally, using colons
(':') at the beginning of the line to mark the comment. We then
using "config net" to import the configuration into the PIX. The
PIX will throw away all of these comments in its running configuration
so they will NOT show up if you "show running", so if we need to
work with the configuration, we refer back to the master configuration
file. [In practice, using this approach requires some additional
tricks; I have described the tricks in past postings. If you
google on my name within this newsgroup and search for the key
phrase "config net" then you will find those past postings.]

--
Oh, to be a Blobel!
 
Reply With Quote
 
 
 
 
S. Gione
Guest
Posts: n/a
 
      07-09-2004
I can't remember the version in which it was implemented, but line numbers
and comments have made life much easier (we're using 6.3(3)124). The syntax
is:

access-list <id> [line <line-num>] remark <text>

Besides the comments, you can insert a line in the middle of the list, below
the remark for similar statements.

The "old" method to insert required removal of all list items, insertion of
the new one in an editor, and re-applying the list.


"Matt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
> What's the best way to keep a rather large ACL on a PIX organized? It's
> quickly becoming DIS-Organzied as we add additional rules and things are
> very hard to keep straight. Is there a way to put comments in?



 
Reply With Quote
 
Matt
Guest
Posts: n/a
 
      07-09-2004
Yes,
I know about line numbers but I've forgotten how to list them. How do
you list your access-list with numbers?


S. Gione wrote:

> I can't remember the version in which it was implemented, but line numbers
> and comments have made life much easier (we're using 6.3(3)124). The syntax
> is:
>
> access-list <id> [line <line-num>] remark <text>
>
> Besides the comments, you can insert a line in the middle of the list, below
> the remark for similar statements.
>
> The "old" method to insert required removal of all list items, insertion of
> the new one in an editor, and re-applying the list.
>
>
> "Matt" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>Hi,
>>What's the best way to keep a rather large ACL on a PIX organized? It's
>>quickly becoming DIS-Organzied as we add additional rules and things are
>>very hard to keep straight. Is there a way to put comments in?

>
>
>

 
Reply With Quote
 
S. Gione
Guest
Posts: n/a
 
      07-09-2004
sho access-list

I guess it would have been too convenient to display them within sho run

"Matt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yes,
> I know about line numbers but I've forgotten how to list them. How do
> you list your access-list with numbers?
>
>
> S. Gione wrote:
>
> > I can't remember the version in which it was implemented, but line

numbers
> > and comments have made life much easier (we're using 6.3(3)124). The

syntax
> > is:
> >
> > access-list <id> [line <line-num>] remark <text>
> >
> > Besides the comments, you can insert a line in the middle of the list,

below
> > the remark for similar statements.
> >
> > The "old" method to insert required removal of all list items, insertion

of
> > the new one in an editor, and re-applying the list.
> >
> >
> > "Matt" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >
> >>Hi,
> >>What's the best way to keep a rather large ACL on a PIX organized? It's
> >>quickly becoming DIS-Organzied as we add additional rules and things are
> >>very hard to keep straight. Is there a way to put comments in?

> >
> >
> >



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-09-2004
In article <(E-Mail Removed)>,
Matt <(E-Mail Removed)> wrote:
:I know about line numbers but I've forgotten how to list them. How do
:you list your access-list with numbers?

show access-list XXXXX
--
Disobey all self-referential sentences!
 
Reply With Quote
 
Pat Donlon
Guest
Posts: n/a
 
      07-12-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<ccn3ab$qlt$(E-Mail Removed)>...
> In article <(E-Mail Removed)>,
> Matt <(E-Mail Removed)> wrote:
> :I know about line numbers but I've forgotten how to list them. How do
> :you list your access-list with numbers?
>
> show access-list XXXXX


You can also use object groups to organise your acls, once setup it
makes changes easier as you just edit the port list or network
addresses. Also you can use grep in 6.3(3) on show access-list which
makes searching very easy.

Cheers
Pat
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-12-2004
In article <(E-Mail Removed) >,
Pat Donlon <(E-Mail Removed)> wrote:
:Also you can use grep in 6.3(3) on show access-list which
:makes searching very easy.

A couple of practical hints about using grep and kin on PIX:

- you must always have a space after the | symbol before the verb

- the underscore character is special to PIX grep, so to search for
something containing an underscore, you have to escape it:

show access-list acl-outside | grep my\_pool
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
 
Reply With Quote
 
zillah zillah is offline
Member
Join Date: Mar 2006
Posts: 39
 
      01-07-2007
Quote:
The PIX will throw away all of these comments in its running configuration
Thanks this quote above helps me to usderstand the quote below
Quote:
http://www.cisco.com/en/US/products/...html#wp1052750
You can precede a line with a colon ( : ) to create a comment. However, the comment only appears in the command history buffer and not in the configuration. Therefore, you can view the comment with the show history command or by pressing an arrow key to retrieve a previous command, but because the comment is not in the configuration, the write terminal command does not display it.
You can also store configurations with comments preceded by a colon or exclamation mark on a server and then use the configure net [[location]:[filename]] command to load the configuration from a TFTP server to the PIX Firewall. Replace location with the TFTP server name and filename with the configuration file name. The PIX Firewall will prune the comments and they will not be visible in the PIX Firewall configuration listing.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best Way To Import/Edit/Organize Photos? gatorcellman@yahoo.com Digital Photography 3 01-27-2006 08:43 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM
Best way to organize classes of Event Listeners. C-man Java 0 05-24-2004 09:28 PM
Best way to organize action handler? C-man Java 1 04-13-2004 07:34 PM
best way to archive and organize kiko Digital Photography 15 12-11-2003 12:25 PM



Advertisments