home

Cisco access list syntax checker

What is it ?

aclcheck is Cisco ACL syntax checker. It can be mainly used for

• learning Cisco ACL (extended) syntax
• creating ACL administration framework

For maintaining complex security policies with large ACLs, it may be suitable to store ACLs in repository. (cvs or the like) Every change of ACLs must be done in the repository. Commits into the repository can be set up to generate e-mails of every change. The e-mails can contain differences to previous versions of ACLs. This can make security administration more transparent.

ACLs can be then loaded from repository directly to Cisco boxes. Before that, they should be checked they are syntactically correct. This is what aclcheck does.

aclcheck can also be used for Cisco extended ACL syntax learning. To make some idea how IOS ACL syntax looks, you can see command hints here.

License

aclcheck is written under the terms of GNU general public license.

Download section

• latest sources (2005-01-02_23:01 snapshot)
  compiles on OS X, FreeBSD, NetBSD, Linux, Solaris 8 (if you tweak Makefile a bit)
• syntax file for Vim which does basic syntax highlighting for Cisco access lists.

Changelog

• 2005/01/01 IPv6 regex cleanup
• 2004/12/09 fixed IPv6 UDP parsing bug
• 2004/12/08
  • fixed bug in qualifiers - now it is possible to specify list of qualifiers e.g. log fragments
    (but not fragments log - aclcheck is more strict than IOS CLI)
  • added preliminary regress suite to build dir (not distributed with snapshots)
• 2004/12/05
  • better IPv6 support
  • added TCP flags list support
• 2004/12/04
  • better IPv6 support (parses first real-world IPv6 ACL)
  • fix TCP/UDP port checking
• 2004/12/01
  • better support for IPv6 ACLs
  • fixed remark string parsing bug
• 2004/11/15 preliminary support for IPv6 ACLs
• 2004/11/10 check for port order for range specifier args
• 2004/10/21 added man page
• 2004/10/20
  • fix grammar error in rules containing network specification
  • add missing TCP header specifiers (urg, psh, rst, fin)
  • add missing port specfier: neq
• 2004/10/18 fix icmp type/code problem for icmp echo request. Type 8 code 0 is actually possible.
• 2004/10/04
  • use keywords rather than generic strings for TCP/UDP port specifications now directly in lexical analysis. this results in more accurate checking of syntax
  • check_servname() should return port number - this will be usefull in the future for ACL evalutation against given packet specification
  • reduced rule reduce conflits to zero :)
  • implemented "Differentiated services codepoint value" specification
    e.g. access-list 133 permit 41 host 1.2.3.4 host 5.6.7.8 dscp af11
• 2004/08/25 fix lex error evaluation
• 2004/08/14 add syn/ack TCP protocol qualifiers
• 2004/05/31 split rule matching by protocol - better detection of incorrect usage of protocol specifiers
• 2004/04/25 add tos, precedence keywords, check if hostname resolves to valid ip address, dynamic access list entry support
• 2004/04/23 better error guessing heuristics, FreeBSD compilation
• 2004/04/22 initial import of ACL check. does basic Cisco extended ACL parsing. checking of qualifiers against protocols (e.g. does not allow ICMP qualifiers with TCP rule)

Installation process

For building, bison, lex (or flex) and gcc are needed.

aclcheck can be installed either by hand from build/ directory after doing make install or by make install from source directory. aclcheck is installed to /usr/local/bin/aclcheck by default. Packages for *BSD and linux would be naturally better, lend a hand and create some if aclcheck has gotten your interest.

Usage

To check syntax of given access list, simply type

aclcheck FE-0-1-0-ingress.acl
(supposing aclcheck is in search path)

If the file is syntactically correct, aclcheck ends silently with error code 0. For more verbose output, use -v flag, which can be cumulated in order to get more verbose output.

sample extended ACL:

access-list 133 remark HUE-HUE-(lada)==OUT
! access-list 129 permit tcp any eq 80 host 195.113.1.2
access-list 111 deny udp any eq 80 host 12.13.14.15 range 1 4444

! precedence
access-list 123 permit igrp host 5.6.7.8 any precedence immediate

! icmp qualifier
access-list 123 permit icmp any any 3 0
access-list 156 permit icmp any 1.2.3.0 0.0.0.255 packet-too-big


Note: colored output above was created using vim editor with Cisco ACL syntax highlighting.

Notes

• Specifiers ambiguity:

  When configuring e.g. icmp protocol qualifier, cisco command line interface suggests (via '?') keywords which are breaking original syntax of extended access lists but produce valid results. Results of this behavior can be however unexpected.

  e.g. When we enter

  access-list 123 permit icmp any any 0 3

  it produces the same line in running-config output. However, if we enter

  access-list 123 permit icmp any any 0 3 1 2

  it produces following line:

  access-list 123 permit icmp any any 1 2

• Normalized syntax:

  Some of the specifiers can be written in arbitrary order.

  E.g. following lines are equivalent and in running-config appear "normalized" - as the first line.

  access-list 123 permit gre any any precedence routine tos normal log
  access-list 123 permit gre any any tos normal precedence routine log

• Non-strict specifiers:

  When specifying icmp message type and code, it is possible to enter bogus numbers.

  e.g.
  access-list 123 deny icmp host 1.2.3.4 any 3 26

  There is no such code 26 for ICMP unreachable message type. aclcheck is more strict in this sense - it does not allow invalid message types and codes.

• Network address/netmask fixup:

  When network address or network mask is specified incorrectly, it is fixed (maybe only in some IOS versions, e.g. 12.1(22)E1 and 12.3(6a) work) in resulting rule:

    c10.ipv6(config)# access-list 133 permit tcp 172.20.0.208 0.0.0.63 host 10.0.0.1 eq 22
    c10.ipv6(config)#
    c10.ipv6(config)#^Z
    c10.ipv6#sh running-config | incl list 133
    access-list 133 permit tcp 172.20.0.192 0.0.0.63 host 10.0.0.1 eq 22
    c10.ipv6#
    

  We tried to configure rule for network 172.20.0.208 0.0.0.63 (172.20.0.208/26), which is not possible - the netmask and network address does not match.
  This fixup suggests, that we want something other, in this case 172.20.0.208 0.0.0.15 (172.20.0.208/28). (208 in binary is 11010000, this is 24+4 fixed bits)

  This kind of behavior can be easily detected by comparing stored version of generated ACL with ACL extracted from router config.

• Port range order

  When higher port is specified first in range keyword, in the configuration it appears reversed:

  access-list 2311 permit udp host 192.168.1.34 host 172.20.1.52 range 8000 3300

  becomes

  access-list 2311 permit udp host 192.168.1.34 host 172.20.1.52 range 3300 8000

• TCP flags

  TCP flags can be specified in a list, e.g.

  access-list 129 permit tcp any any eq 23 syn fin urg ack

  But some additional rules apply:

  • Each flag can be specified only once
  • ack keyword is almost the same as established, but established does not allow rst to follow it in the list of flags, e.g. permit tcp any any eq 23 ack rst is possible, whereas permit tcp any any eq 23 established rst is not.