Those darn access lists
Is editing access-lists on Cisco routers driving you nuts? From the most experienced network administrators to Cisco beginners, editing access-lists can be frustrating at times. Copy, paste, renumber then copy and paste all over again. What we really need isa list editor that can communicate with the router.

Once again, Chesapeake comes to the aid with a new Java=81 tool, The Chesapeake Access List Editor. With this new tool you can download access lists from your router, edit them on the fly within the familiar world of an editor window, then send them back to the router with a new access list number.

The Chesapeake Access List Tool might be exactly what you need if you are just learning Cisco access lists. The tools included are an edit window, IP list wizard, wildcard mask calculator, and transfer tools.

A real world example
Every network administrator deals with access lists at some point. A friend of mine works for an Internet Service Provider, and every once in awhile he will receive a call from the support help desk, 'A user is complaining that his link is becoming saturated by another user.

After a little investigating, he will usually find that someone from outside the network is attacking a user. This attack will usually consist of a ping attack or some other IP flood attack. The ISP's usual policy is to block the source IP address until the administrator at that site can be contacted. To do this he keeps an access list on the incoming router that blocks current problem sites and is updated daily, as new mischievous sites are added and old problem sites are removed.

The way he did this in the past, as everyone might, login to the router in one window, paste the list into an editor, add the new statements, change the access list number by hand, then paste it back into his telnet window. This soon became a problem when the list became longer, a painful and time consuming task.

Now that he uses the Chesapeake Access List Editor, he can keep the list on disk or retrieve it from the router, edit the list, and then ship it back to the router with a new access list number.=20

Why change the access list number?
When you have an access-list on an interface, changing it becomes tricky without compromising the security the list provides for a few moments. The security hole can be minimized by two methods: shutting the interface down while modifying the list, or changing the list number.

For example say we had the following configuration:

interface serial1
ip access-group 110 in

access-list 110 deny ip 192.10.0.0 0.0.255.255 any
access-list 110 permit ip any any

List 110 is only blocking access from the 192.10.0.0 network, in addition we now want to block access from the 182.11.0.0 network. The question is how do we handle this in the most secure method possible? Shutting down the interface is not an option, because we do not want to disturb the allowed traffic.

So we take the current list and add to it, changing the list number in the process. (NOTE: The new line and the access-list number has been modified. Number 111 is currently unused on the router.)

access-list 111 deny ip 182.11.0.0 0.0.255.255 any
access-list 111 deny ip 192.10.0.0 0.0.255.255 any
access-list 111 permit ip any any
Now we apply the list to the interface:

int s1
ip access-group 111 in

We do not have to do a 'no access-group 110 in' because the Cisco knows we can only have one access list coming 'in' and makes the change for us. The new list was added seamlessly with minimal interruption. Now, we can safely remove the old access-list so we can use 110 next time:

no access-list 110

Running the Chesapeake Access Editor
The Chesapeake access list editor is written in Java=81 1.0, which will allow it to run on UNIX, Windows95, and WindowsNT. The interface is confined to the GUI, so there are no command line options, simply start the program with the following command:

/java ale

Figure 1

A window will appear. (Figure 1)
The most important menu item is the 'Router' Menu, which consists of 'Get from Router', 'Send to Router', and 'Query Router'. Get and Send will ship your current list back and forth to a router, and Query lets you quickly view what lists are currently on the router. Here are the steps for editing a list an IP access list:

Getting the List

Figure 2

Step 1: Get the Access List from the router . Click on 'Router-->Get from Router'. A window will appear.(Figure 2).

If you are running TACACS or something similar that will ask for a 'username' then select TACACS as the 'Login Method', else leave it as 'Regular'. Regular means that the Cisco will simply ask for the 'password:' first. The documentation explains this in more detail.

Enter the router name, username (if you selected TACACS as the login method, otherwise leave username blank), password , and then the enable password. Selecting the 'Connect' button will initiate the process.

Step 2: Another window will appear showing which access-lists are available on the router. Select one from the list and hit "OK" to continue. If there are no lists on the router, the window will inform you via a dialog box and then abort.

Step 3: The program will retrieve the list from the router and will now display it in the editor window. At this point, the session with the router is closed.

Editing the List
The edit screen behaves like a simple editor, control keys and the mouse allow you to edit easily. If you want to change the access-list number, do not edit it by hand, we have a tool for that! From the top menu bar select 'Tools-->Change Current List Number'. At which time, the editor will bring up a window and prompt you for the new access list number, enter the new number and it will automatically be incorporated into the current list. Be sure that the number you choose is the one you want to be overwritten or is 'empty' on the router, because it will over write the router's copy during the send.

Sending it back to the router
Step 1: From the menu bar select 'Router-->Send to Router'. This will bring up a window like Figure 2. Enter the information as you did when you retrieved the list from the router.

Step 2: Hit the 'Send List' button and the editor will automatically send the new list back to the router. Important note: it will send a 'no access-list' command first, using the number from the list you are sending. This new list will replace any existing access lists that have the same number. Be sure that is what you want to do.

Step 3: A window will appear, asking if you want to apply the new list to an interface. If you do not, check the 'do not apply' checkbox. If you choose 'apply list' you must fill in the interface box with an interface name, for example 'serial 0','ser 0','ethernet 1', 'eth 1', etc. Use the same name as in the router configuration. Then select the 'in' or 'out' direction checkbox for the appropriate direction. The program will then perform a 'ip access-group < <' on the router. The list is applied!

IP List Wizard
Under the Tools Menu you will find 'IP List Wizard', this will ask for a series of IP addresses and then generate an access-list. This is designed as a teaching tool, and shows what a possible access-list on an Internet Gateway router might look like. The wizard will show you how to allow www, ftp (passive and regular), nntp, dns, IP spoofing, telnet and how to block the unwanted traffic!

Figure 3

When the wizard first appears (Figure 3), it is simply a form asking for IP addresses. In each field you can enter as many IP addresses as needed; separate the entries with commas. If any of the fields are left blank, they are ignored. Hit the 'Build List' button and the list will be automatically created for you.

Although gateway filtering access-list is a good thing to have, it does not replace a firewall. However, it is an important level of network security.

Unfamiliar with access-list masks?
Access-list wildcard masks look like subnet masks, and it is easy to get them confused. Included with the editor is a range calculator. This is another simple tool that is designed as a teaching tool for understanding how the masks work. A typical access-list would contain a line like the following:

access-list 110 permit ip 10.2.0.0 0.0.0.255 any

The 10.20.0.0 is the source network address and the 0.0.0.255 is the source-wildcard mask. To view the ranges of IP addresses that apply to this list start the Range Calculator, located under the Tools menu.

Figure 4

A window will appear as in Figure 4. Enter the network address 10.20.0.0, and the access mask of 0.0.0.255. Hit the 'Calculate Range' button and the lower text window will fill up with all the possible matching IP addresses for that range.

To see another example, enter the network address of 10.2.0.0 and a mask of 0.0.2.25. Experiment with different values, but be warned that if you enter a very large range it will take a while to calculate. If you run into that situation, hit the "Cancel" button and it will stop the range calculation.

Summary
The Chesapeake Access List Editor is a tool that contains methods for building, sending, and receiving access lists from Cisco routers. Thereby, saving you the time it takes to edit by the old methods of cut and pasting or retyping.

Included with the editor are several tools that make building access-lists a little easier to understand.

There are many enhancements planned for the editor, stay tuned to our web site for updates!

How to get a copy
You can receive a free copy of the Chesapeake Access List Editor from our web page, http://www.ccci.com. Look for the announcement on our homepage. While you are there pick up our other tools as well!

Volume 3, Number 4 Table Of Contents