ACL / NAT management

onesaintonesaint Member Posts: 801
For those here on TE that deal with ACLs and NAT policies in abundance and/or on a large scale, how do you manage your ACLs / NAT rules? Do you use something like excel and write out in plain English what each rule is doing with traffic and what not (this would seem like a huge timesuck)? Or are there specific tools for managing these policies and documenting changes, etc.?

I realize in some capacity a good network engineer should be able to figure out quickly what a rule is doing with traffic, but when dealing with a large amout of rules, I would think documenting them and what they do with traffic would come in handy for quick reference.

TYIA for your input.
Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
Next up: eventually the RHCE and to start blogging again.

Control Protocol; my blog of exam notes and IT randomness

Comments

  • MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    I normally just manage all my devices through SSH and use the show access-lists/show ip nat translations command.

    However, I can see why having NAT/ACL rules copy and pasted in a document would be handy.
    2017 Certification Goals:
    CCNP R/S
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    We tried once to document NAT and ACL rules but failed. Failed because someone WILL forget to update the documents so you end up checking anyway. So in Cisco we simply check the ACL via telnet / ssh and NAT we just check the firewall UI (Sonicwall in our case).
    My own knowledge base made public: http://open902.com :p
  • onesaintonesaint Member Posts: 801
    Thanks Gents.
    I was hoping there was a tool to avoid manually updating a document. I know that's a pain and ultimately fails. I suppose I'll end up scripting something to pull from all the routers and **** that to a csv or something.
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • phatrikphatrik Member Posts: 71 ■■□□□□□□□□
    Why not just add remarks between ACLs? Remark This does ASDF A 10 20 30 40 Remark End of ASDF A Remark ASDF B 50 60 70 80 Remark End of ASDF B For NAT rules, you could use ACLs to target traffic, which once again would allow you to add a remark.
    2018 goals: Security+, CCNA CyberOps (Cohort #6), eJPT, CCNA R&S 2019 goals: RHCE ????, OSCP || CISSP
  • onesaintonesaint Member Posts: 801
    Definitely a good thing to have. I was looking for something to take the rules / policies offline if possible.
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    We use Cisco Security Manager for our ASAs

    Cisco Security Manager - Products & Services - Cisco Systems
    Preparing for CCIE Written
Sign In or Register to comment.