Best Way to Organize ACL on PIX

Discussion in 'Cisco' started by Matt, Jul 9, 2004.

  1. Matt

    Matt Guest

    Hi,
    What's the best way to keep a rather large ACL on a PIX organized? It's
    quickly becoming DIS-Organzied as we add additional rules and things are
    very hard to keep straight. Is there a way to put comments in?
     
    Matt, Jul 9, 2004
    #1
    1. Advertising

  2. In article <>, Matt <> wrote:
    :What's the best way to keep a rather large ACL on a PIX organized? It's
    :quickly becoming DIS-Organzied as we add additional rules and things are
    :very hard to keep straight. Is there a way to put comments in?

    Two forms of comments are normally available:

    1) Within an access-list, you can use a "remark" 'up to 100 characters
    in length'. I don't know if it's still an issue, but it used to be the
    case that your remarks had to all be unique, as otherwise the PIX
    would detect the second line as being a duplicate and would eliminate it.

    2) For each object-group, you can add a "description".

    If you are not using object-groups now, then I recommend that you
    start: the grouping abilities they give can really help clean up
    a configuration.


    At my site, we use a third, unsupported mechanism. What we do is
    treat a file on a tftp server as being the "master" configuration
    file, and we sprinkle comments through that liberally, using colons
    (':') at the beginning of the line to mark the comment. We then
    using "config net" to import the configuration into the PIX. The
    PIX will throw away all of these comments in its running configuration
    so they will NOT show up if you "show running", so if we need to
    work with the configuration, we refer back to the master configuration
    file. [In practice, using this approach requires some additional
    tricks; I have described the tricks in past postings. If you
    google on my name within this newsgroup and search for the key
    phrase "config net" then you will find those past postings.]

    --
    Oh, to be a Blobel!
     
    Walter Roberson, Jul 9, 2004
    #2
    1. Advertising

  3. Matt

    S. Gione Guest

    I can't remember the version in which it was implemented, but line numbers
    and comments have made life much easier (we're using 6.3(3)124). The syntax
    is:

    access-list <id> [line <line-num>] remark <text>

    Besides the comments, you can insert a line in the middle of the list, below
    the remark for similar statements.

    The "old" method to insert required removal of all list items, insertion of
    the new one in an editor, and re-applying the list.


    "Matt" <> wrote in message
    news:...
    > Hi,
    > What's the best way to keep a rather large ACL on a PIX organized? It's
    > quickly becoming DIS-Organzied as we add additional rules and things are
    > very hard to keep straight. Is there a way to put comments in?
     
    S. Gione, Jul 9, 2004
    #3
  4. Matt

    Matt Guest

    Yes,
    I know about line numbers but I've forgotten how to list them. How do
    you list your access-list with numbers?


    S. Gione wrote:

    > I can't remember the version in which it was implemented, but line numbers
    > and comments have made life much easier (we're using 6.3(3)124). The syntax
    > is:
    >
    > access-list <id> [line <line-num>] remark <text>
    >
    > Besides the comments, you can insert a line in the middle of the list, below
    > the remark for similar statements.
    >
    > The "old" method to insert required removal of all list items, insertion of
    > the new one in an editor, and re-applying the list.
    >
    >
    > "Matt" <> wrote in message
    > news:...
    >
    >>Hi,
    >>What's the best way to keep a rather large ACL on a PIX organized? It's
    >>quickly becoming DIS-Organzied as we add additional rules and things are
    >>very hard to keep straight. Is there a way to put comments in?

    >
    >
    >
     
    Matt, Jul 9, 2004
    #4
  5. Matt

    S. Gione Guest

    sho access-list

    I guess it would have been too convenient to display them within sho run :)

    "Matt" <> wrote in message
    news:...
    > Yes,
    > I know about line numbers but I've forgotten how to list them. How do
    > you list your access-list with numbers?
    >
    >
    > S. Gione wrote:
    >
    > > I can't remember the version in which it was implemented, but line

    numbers
    > > and comments have made life much easier (we're using 6.3(3)124). The

    syntax
    > > is:
    > >
    > > access-list <id> [line <line-num>] remark <text>
    > >
    > > Besides the comments, you can insert a line in the middle of the list,

    below
    > > the remark for similar statements.
    > >
    > > The "old" method to insert required removal of all list items, insertion

    of
    > > the new one in an editor, and re-applying the list.
    > >
    > >
    > > "Matt" <> wrote in message
    > > news:...
    > >
    > >>Hi,
    > >>What's the best way to keep a rather large ACL on a PIX organized? It's
    > >>quickly becoming DIS-Organzied as we add additional rules and things are
    > >>very hard to keep straight. Is there a way to put comments in?

    > >
    > >
    > >
     
    S. Gione, Jul 9, 2004
    #5
  6. In article <>,
    Matt <> wrote:
    :I know about line numbers but I've forgotten how to list them. How do
    :you list your access-list with numbers?

    show access-list XXXXX
    --
    Disobey all self-referential sentences!
     
    Walter Roberson, Jul 9, 2004
    #6
  7. Matt

    Pat Donlon Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<ccn3ab$qlt$>...
    > In article <>,
    > Matt <> wrote:
    > :I know about line numbers but I've forgotten how to list them. How do
    > :you list your access-list with numbers?
    >
    > show access-list XXXXX


    You can also use object groups to organise your acls, once setup it
    makes changes easier as you just edit the port list or network
    addresses. Also you can use grep in 6.3(3) on show access-list which
    makes searching very easy.

    Cheers
    Pat
     
    Pat Donlon, Jul 12, 2004
    #7
  8. In article <>,
    Pat Donlon <> wrote:
    :Also you can use grep in 6.3(3) on show access-list which
    :makes searching very easy.

    A couple of practical hints about using grep and kin on PIX:

    - you must always have a space after the | symbol before the verb

    - the underscore character is special to PIX grep, so to search for
    something containing an underscore, you have to escape it:

    show access-list acl-outside | grep my\_pool
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, Jul 12, 2004
    #8
  9. Matt

    zillah

    Joined:
    Mar 23, 2006
    Messages:
    39
    Thanks this quote above helps me to usderstand the quote below
     
    zillah, Jan 7, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    751
    Shad T
    Jun 29, 2004
  2. kiko

    best way to archive and organize

    kiko, Dec 7, 2003, in forum: Digital Photography
    Replies:
    15
    Views:
    659
    Canopus
    Dec 11, 2003
  3. Vimokh
    Replies:
    3
    Views:
    5,865
    Vimokh
    Sep 6, 2006
  4. Best Way To Import/Edit/Organize Photos?

    , Jan 27, 2006, in forum: Digital Photography
    Replies:
    3
    Views:
    747
  5. Mike

    Best way to organize photos??

    Mike, Apr 29, 2006, in forum: Digital Photography
    Replies:
    7
    Views:
    919
    lindadorsey
    Jul 10, 2013
Loading...

Share This Page