cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1035
Views
0
Helpful
7
Replies
Highlighted
Beginner

Editing access lists for mass editing...? Removing all and re-adding

Hello I have to edit every access list we have on our ASA to include the LOG statement at the end and then turn off some syslog messages so that our syslog server only shows Permits and Denies, not opens and closed messages.

 

I have many contexts, and thousands of lines of ACLs. I have to remove them in reverse order and then remove the hit count at the end of the ACL along with the hex code.  Is there an easy way to do this? 

 

ie:

This

access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports (hitcnt=1288461) 0xd4c53b6e

 

Will end up like this..

no access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports 

access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports log

 

Any thoughts on how this could be done without a ton of effort?

7 REPLIES 7
Highlighted
VIP Advisor

Hi there,

I hope you are planning to script this?!

 

A python script could SSH onto the device, output the running config, parse it with a regex filter to find the ACLs group by name and storing them in lists, then iterate through the list in reverse prefix each element with 'no' and sending the command, then iterating through the list in the other direction appending 'log' to the end of the element before sending it.

 

Unless someone comes up with a more standard method or a script of their own, I'll see if I can come up with the bare bones of the above this evening.

 

cheers,

Seb.

Highlighted

Thanks for the reply.  Unfortunately I'm not a scripting expert and never use Python. One of my co-workers does a lot with it though so I can run it by him.

 

It's definitely a lot of work to do manually. 

 

Chris

Highlighted

OK you might want to run the following script past your co-worker. For input it takes a CSV of the format:

 

 

device_ip
192.168.0.1
192.168.0.2
192.168.0.3

#python3 asa_acl_add_log.py -c asa_ips.csv

 

 

The script will then prompt you for a username and password which will then be used for each device login. It will collect the output from sh run | inc access-list then parse each line with a regex query, this will build a dictionary based data structure:

 

{"OUTSIDE": [<ace01>, <ace02>],
"INSIDE": [<ace01>, <ace02>, <ace03>]
}

 

 

It then iterates through the dictionary, for each value it takes the list. It iterates though the list in reverse prefix no, sending each command to the ASA. On the second iteration of the list it appends log to the end and sends it to the ASA.

 

Here it is:

 

#!/usr/bin/env python3
import getpass
import csv
import netmiko
import paramiko
import re
from argparse import ArgumentParser

ACL_REGEX = "access-list\s(?P<acl_name>\S*?)\s"


def process_acls(intput_acls):
    all_acls_dict = {}

    acls = intput_acls.split("\n")

    for acl in acls:
        match = re.match(ACL_REGEX, acl)

        if match:
            if match.group("acl_name") not in all_acls_dict:
                all_acls_dict[match.group("acl_name")] = []
            all_acls_dict[match.group("acl_name")].append(acl)
return all_acls_dict
def main(): parser = ArgumentParser(description='Arguments for running asa_acl_add_log') parser.add_argument('-c', '--csv', required=True, action='store', help='Location of CSV file') args = parser.parse_args() ssh_username = input("SSH username: ") ssh_password = getpass.getpass('SSH Password: ') with open(args.csv, "r") as file: reader = csv.DictReader(file) for device_row in reader: try: ssh_session = netmiko.ConnectHandler(device_type='cisco_ios', ip=device_row['device_ip'], username=ssh_username, password=ssh_password) print("+++++ {0} +++++".format(device_row['device_ip'])) ssh_session.send_command("terminal length 0") acl_output = ssh_session.send_command("sh run | inc access-list") for acl_name in acl_output: for acl in reversed(acl_output[acl_name]): ssh_session.send_command("no {0}".format(acl)) for acl in acl_output[acl_name]: ssh_session.send_command("{0} log".format(acl)) ssh_session.disconnect() except (netmiko.ssh_exception.NetMikoTimeoutException, netmiko.ssh_exception.NetMikoAuthenticationException, paramiko.ssh_exception.SSHException) as s_error: print(s_error) if __name__ == "__main__": main()

 

 

https://github.com/sebrupik/csc_scripts/blob/master/asa_acl_add_log.py

 

I've done some limited testing on the input processing, but I don't currently have access to an ASA at this location so can't test it in its entirety...so it may need some tweaking.

 

Let me know how it works :)

 

cheers,

Seb.

 

Highlighted

Thanks, I'll send it to him and see what he can make of it!
Highlighted

If you script doesn't remove the end of this line when gathering the acl it will fail when doing a NO (hitcnt=1288461) 0xd4c53b6e

access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports (hitcnt=1288461) 0xd4c53b6e
Highlighted

hmmmm, line wrap!

OK, under the "terminal length 0" command, add the following:

ssh_session.send_command("terminal width 510")

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html#pgfId-1561966

 

....Let me know if it works :)

 

cheers,

Seb.

Highlighted

Just noticed, since it is an ASA it should be 'terminal pager 0" and not "terminal length 0"

...also before the disconnect you may want to add the following:
ssh_session.send_command("terminal pager 24")
ssh_session.send_command("terminal width 80")

I'll update the github repo tonight.
Content for Community-Ad