Tuesday, January 25, 2011

Syntax checker working crazy with cisco

Hi there,

I'm trying to verify only two commands for cisco IOS ACL Extendend.

They are:

access-list 101  deny   any 192.168.0.0/23 any

access-list 101  permit udp 192.168.1.1 any

For this i`m using a syntax checker avaliable on the internet located in http://techie.devnull.cz/aclcheck

But when i execute the software for checking, it gives me a error in line 1 saying "destination specification ?". I've read many guides for ACL syntax on the internet but i simply don`t get it, i just cant find this error. The destination is specified in the any keyword.

Is there errors in those commands? Or maybe a more reliable way to validate cisco IOS commands?

Regards

Edit: new commands are 

access-list 101  deny   ip 192.168.0.0/23 any

access-list 101  permit udp host 192.168.1.1 any

Same error.

Notice i've maintained the /23 notation on purpose, check the comments. Will try out with your guys suggestion but if that is the right notation it will break my translators work hehe

From serverfault jaderanderson

  • access-list 101 deny ip any 192.168.0.0 0.0.1.255 any
    access-list 101 permit udp host 192.168.1.1 any

    You had a few problems in here. FIrst, you have to specify a protocol, even if that protocol is just IP. Second problem, you have to use wildcard masks to specify your subnet. Third problem, you must designate either a wildcard mask, any, or preface the host ip address with the word host. Hope this helps.

    I'm not sure about a syntax checker. I just wear out the ? key on my keyboard.

    From Jason Berg

  • In your first line the error comes from

    1. /23, you can't write this ACL like that, you should use wildcard mask
    2. any after deny, this is the protocol field, any is not valid

    In the second line, host is missing before the IP address

    Right syntax is :

    access-list 101 deny ip 192.168.0.0 0.0.1.255 any
access-list 101 permit udp host 192.168.1.1 any

    I will recommend you to use named access-list if possible, writing ACL as you did is a bit old school, harder to manage and more sensitive to errors. A better way to do this is :

    ip access-list extended SOMETHING
  deny ip 192.168.0.0 0.0.1.255 any
  permit udp host 192.168.1.1 any
    jaderanderson : ok, the host missing i`ve already fixed but the /23 should work. check http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#topic2 i`ve changed the any to ip too. will redo the syntax check again
    jaderanderson : Just to clarify, the 101 and 102 notation i`m using only because its standard input output ACL's. Right now i have no intention on testing them on a true cisco but i need to know if they will work. I`ve designed a web app that translates commands for different firewalls and stuff. Thanks for the help
    Zypher : @jader you might not be at the right IOS rev to get the use of the 'slash' notation
    jaderanderson : hummmm... maybe its right zypher. Can you tell me when slash notation was accepted? The aclcheck program was last updated in 2005, with the mask as suggested the program works fine
    radius : @jaderanderson nothing in the URL you provide tells that /X should work, it only tells that it can be *represented* like that but not that you can use this represention in an ACL. As far as I know the /X representation on IOS is only supported for prefix-list.
    jaderanderson : Well, guess you`re right radius. I'll have to implement a reverse mask by myself then since the 0.0.1.255 worked on aclcheck
    From radius
Posted by Mu Cat at 12:25 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)