0

I'm trying to verify only two commands for cisco IOS ACL Extendend.

They are:

access-list 101  deny   any 192.168.0.0/23 any

access-list 101  permit udp 192.168.1.1 any

For this i`m using a syntax checker avaliable on the internet located in http://techie.devnull.cz/aclcheck

But when i execute the software for checking, it gives me a error in line 1 saying "destination specification ?". I've read many guides for ACL syntax on the internet but i simply don`t get it, i just cant find this error. The destination is specified in the any keyword.

Is there errors in those commands? Or maybe a more reliable way to validate cisco IOS commands?

Regards

Edit: new commands are 

access-list 101  deny   ip 192.168.0.0/23 any

access-list 101  permit udp host 192.168.1.1 any

Same error.

Notice i've maintained the /23 notation on purpose, check the comments. Will try out with your guys suggestion but if that is the right notation it will break my translators work hehe

Zoredache
  • 128,755
  • 40
  • 271
  • 413
jaderanderson
  • 3
  • 4

2 Answers2

1

In your first line the error comes from

  1. /23, you can't write this ACL like that, you should use wildcard mask
  2. any after deny, this is the protocol field, any is not valid

In the second line, host is missing before the IP address

Right syntax is :

access-list 101 deny ip 192.168.0.0 0.0.1.255 any
access-list 101 permit udp host 192.168.1.1 any

I will recommend you to use named access-list if possible, writing ACL as you did is a bit old school, harder to manage and more sensitive to errors. A better way to do this is :

ip access-list extended SOMETHING
  deny ip 192.168.0.0 0.0.1.255 any
  permit udp host 192.168.1.1 any
radius
  • 9,545
  • 23
  • 45
  • ok, the host missing i`ve already fixed but the /23 should work. check http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#topic2 i`ve changed the any to ip too. will redo the syntax check again – jaderanderson Jun 21 '10 at 02:55
  • Just to clarify, the 101 and 102 notation i`m using only because its standard input output ACL's. Right now i have no intention on testing them on a true cisco but i need to know if they will work. I`ve designed a web app that translates commands for different firewalls and stuff. Thanks for the help – jaderanderson Jun 21 '10 at 03:01
  • @jader you might not be at the right IOS rev to get the use of the 'slash' notation – Zypher Jun 21 '10 at 03:09
  • hummmm... maybe its right zypher. Can you tell me when slash notation was accepted? The aclcheck program was last updated in 2005, with the mask as suggested the program works fine – jaderanderson Jun 21 '10 at 03:20
  • @jaderanderson nothing in the URL you provide tells that /X should work, it only tells that it can be *represented* like that but not that you can use this represention in an ACL. As far as I know the /X representation on IOS is only supported for prefix-list. – radius Jun 21 '10 at 03:57
  • Well, guess you`re right radius. I'll have to implement a reverse mask by myself then since the 0.0.1.255 worked on aclcheck – jaderanderson Jun 21 '10 at 04:11
0

access-list 101 deny ip any 192.168.0.0 0.0.1.255 any
access-list 101 permit udp host 192.168.1.1 any

You had a few problems in here. FIrst, you have to specify a protocol, even if that protocol is just IP. Second problem, you have to use wildcard masks to specify your subnet. Third problem, you must designate either a wildcard mask, any, or preface the host ip address with the word host. Hope this helps.

I'm not sure about a syntax checker. I just wear out the ? key on my keyboard.

Jason Berg
  • 18,954
  • 6
  • 38
  • 55