Writing and Auditing ACLs

The Scenario

Your Cisco router has an ACL with 85 entries that has grown over 5 years. Nobody knows which rules are still needed. Some may be redundant, some may be shadowed, and there might be security gaps. AI audits it in 60 seconds.

---

The Prompt

Audit this Cisco IOS access-list for security issues:

access-list 101 permit tcp 10.1.0.0 0.0.255.255 any eq 80
access-list 101 permit tcp 10.1.0.0 0.0.255.255 any eq 443
access-list 101 permit tcp any host 10.1.1.100 eq 22
access-list 101 permit ip 10.1.5.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 101 permit tcp any any eq 445
access-list 101 permit ip host 10.1.1.50 any
access-list 101 deny ip any any log

Check for:
1. Overly permissive rules (source "any" or destination "any")
2. Shadowed rules (rules that will never be hit because an earlier rule matches first)
3. Dangerous ports left open (445, 23, 3389, etc.)
4. Missing rules you would expect (DNS, NTP, etc.)
5. Suggest a cleaner, tighter version

---

What AI Gives You

• Line 3: SSH from ANY source — should be restricted to management subnet
• Line 5: Port 445 (SMB) open from any to any — critical security risk, vector for ransomware
• Line 6: Host 10.1.1.50 can go anywhere — should be scoped to specific destinations
• A rewritten ACL with the same intent but tighter security

---

Try It Yourself

Pull an ACL from any production device (show access-lists). Paste the entire thing into AI. You will find issues.