07-11-2012 07:46 AM
Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.
thanks.
07-12-2012 07:38 AM
If you use the "ip access-list extended ...." syntax you can check:
in config mode:
ip access-list extended [#.*#]
for:
+deny any any
I don't see a possibility for the "classic" syntax like:
ip access-list 199 permit ...
ip access-list 199 deny any any
07-12-2012 08:34 AM
I forgot to mention that i am running this against Cisco ASA devices which displays like this:
access-list TEST_ACL extended deny ip any any
I have tried:
access-list [#.*#] extended deny ip any any
but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
Any ideas?
08-16-2012 05:45 AM
Sorry, as I wrote: for that I can't think of any solution for the syntax
access-list [name] extended [permit|deny] ...
Extended Regex can reference Match strings, so theoretical you could use the match for .* and use the value (which is the name of the access-list) for further matching but I cant imagine a way to use this possibility here...
Regards,
MiKa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide