04-01-2019 07:42 AM
Hello I have to edit every access list we have on our ASA to include the LOG statement at the end and then turn off some syslog messages so that our syslog server only shows Permits and Denies, not opens and closed messages.
I have many contexts, and thousands of lines of ACLs. I have to remove them in reverse order and then remove the hit count at the end of the ACL along with the hex code. Is there an easy way to do this?
ie:
This
access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports (hitcnt=1288461) 0xd4c53b6e
Will end up like this..
no access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports
access-list test_access_in line 3 extended permit tcp object testsystem1 object testsystem2 object-group testports log
Any thoughts on how this could be done without a ton of effort?
04-01-2019 08:43 AM
Hi there,
I hope you are planning to script this?!
A python script could SSH onto the device, output the running config, parse it with a regex filter to find the ACLs group by name and storing them in lists, then iterate through the list in reverse prefix each element with 'no' and sending the command, then iterating through the list in the other direction appending 'log' to the end of the element before sending it.
Unless someone comes up with a more standard method or a script of their own, I'll see if I can come up with the bare bones of the above this evening.
cheers,
Seb.
04-01-2019 09:57 AM
Thanks for the reply. Unfortunately I'm not a scripting expert and never use Python. One of my co-workers does a lot with it though so I can run it by him.
It's definitely a lot of work to do manually.
Chris
04-01-2019 02:36 PM
OK you might want to run the following script past your co-worker. For input it takes a CSV of the format:
device_ip 192.168.0.1 192.168.0.2 192.168.0.3
#python3 asa_acl_add_log.py -c asa_ips.csv
The script will then prompt you for a username and password which will then be used for each device login. It will collect the output from sh run | inc access-list then parse each line with a regex query, this will build a dictionary based data structure:
{"OUTSIDE": [<ace01>, <ace02>], "INSIDE": [<ace01>, <ace02>, <ace03>] }
It then iterates through the dictionary, for each value it takes the list. It iterates though the list in reverse prefix no, sending each command to the ASA. On the second iteration of the list it appends log to the end and sends it to the ASA.
Here it is:
#!/usr/bin/env python3 import getpass import csv import netmiko import paramiko import re from argparse import ArgumentParser ACL_REGEX = "access-list\s(?P<acl_name>\S*?)\s" def process_acls(intput_acls): all_acls_dict = {} acls = intput_acls.split("\n") for acl in acls: match = re.match(ACL_REGEX, acl) if match: if match.group("acl_name") not in all_acls_dict: all_acls_dict[match.group("acl_name")] = [] all_acls_dict[match.group("acl_name")].append(acl)
return all_acls_dict
def main(): parser = ArgumentParser(description='Arguments for running asa_acl_add_log') parser.add_argument('-c', '--csv', required=True, action='store', help='Location of CSV file') args = parser.parse_args() ssh_username = input("SSH username: ") ssh_password = getpass.getpass('SSH Password: ') with open(args.csv, "r") as file: reader = csv.DictReader(file) for device_row in reader: try: ssh_session = netmiko.ConnectHandler(device_type='cisco_ios', ip=device_row['device_ip'], username=ssh_username, password=ssh_password) print("+++++ {0} +++++".format(device_row['device_ip'])) ssh_session.send_command("terminal length 0") acl_output = ssh_session.send_command("sh run | inc access-list") for acl_name in acl_output: for acl in reversed(acl_output[acl_name]): ssh_session.send_command("no {0}".format(acl)) for acl in acl_output[acl_name]: ssh_session.send_command("{0} log".format(acl)) ssh_session.disconnect() except (netmiko.ssh_exception.NetMikoTimeoutException, netmiko.ssh_exception.NetMikoAuthenticationException, paramiko.ssh_exception.SSHException) as s_error: print(s_error) if __name__ == "__main__": main()
https://github.com/sebrupik/csc_scripts/blob/master/asa_acl_add_log.py
I've done some limited testing on the input processing, but I don't currently have access to an ASA at this location so can't test it in its entirety...so it may need some tweaking.
Let me know how it works :)
cheers,
Seb.
04-10-2019 05:41 AM
04-10-2019 05:46 AM
04-10-2019 06:01 AM
hmmmm, line wrap!
OK, under the "terminal length 0" command, add the following:
ssh_session.send_command("terminal width 510")
....Let me know if it works :)
cheers,
Seb.
04-10-2019 06:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide