Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
1
Replies

asa NED and ACL rule placement

Go to solution
Ben Kelly
Cisco Employee
Cisco Employee

‎09-29-2017 02:13 AM - edited ‎03-01-2019 04:00 AM

I'm developing a python based service to manage an ACL. I need to put particular ACL rule entries at particular places. I've seen from the dry-run as well as this template:

https://github.com/NSO-developer/nso-firewall-services/blob/master/templates/firewall-rule.xml

That functionality to do this has been added. What's not clear to me is how to set my python variables to ensure I can control where a few entry is placed within the ACL order.

Can someone provide me with some examples?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gschudel
Cisco Employee
Cisco Employee

‎10-02-2017 10:21 AM

I replied off-line to Ben, but for the benefit of others, I gave this as an "example" -- using ASA NETSIM...

** I have some rules and i want to "insert" a new one somewhere in the list. We can check CLI to see

how the NED wants to handle this...

admin@ncs% insert rule

Possible completions:

  <WORD>                                  - quoted rule beginning with: remark|standard|extended|webtype, followed by options (e.g. log|inactive). For example: "extended permit tcp any any" log

  remark - this is the inside out traffic -

  extended permit ip host 10.1.1.10 any   -

  extended permit ip host 10.1.1.12 any   -

  extended permit ip host 10.1.1.14 any   -

  remark - this is the hr admin address   -

  extended permit ip host 10.1.1.40 any   -

admin@ncs% insert rule "extended permit tcp port 80 host any" ?

Possible completions:

  after  before  first  last

admin@ncs% insert rule "extended permit tcp port 80 host any" before ?

Possible completions:

  remark - this is the inside out traffic

  extended permit ip host 10.1.1.10 any

  extended permit ip host 10.1.1.12 any

  extended permit ip host 10.1.1.14 any

  remark - this is the hr admin address       <---------let's pick this to "insert before" this remark...

  extended permit ip host 10.1.1.40 any 

admin@ncs% insert rule "extended permit tcp port 80 host any" before "remark - this is the hr admin address"

[ok][2017-09-30 10:06:37]

[edit devices device asa0 config access-list access-list-id Corona]

admin@ncs% commit dry-run

cli {

    local-node {

        data  devices {

                  device asa0 {

                      config {

                          asa:access-list {

                              access-list-id Corona {

             +                    # after rule "extended permit ip host 10.1.1.14 any"       <--- the NED decided this...

             +                    rule "extended permit tcp port 80 host any";

                              }

                          }

                      }

                  }

              }

    }

}

[ok][2017-09-30 10:06:40]

[edit devices device asa0 config access-list access-list-id Corona]

admin@ncs% commit dry-run outformat xml    <--------------- Look at the XML to see how...

result-xml {

    local-node {

        data <devices xmlns="http://tail-f.com/ns/ncs">

               <device>

                 <name>asa0</name>

                 <config>

                   <access-list xmlns="http://cisco.com/ned/asa">

                     <access-list-id>

                       <id>Corona</id>

                       <rule xmlns:yang="urn:ietf:params:xml:ns:yang:1"

                             xmlns:ncs="http://tail-f.com/ns/ncs"

                            yang:insert="after"

                             yang:key="[ncs:id='extended permit ip host 10.1.1.14 any']">

                         <id>extended permit tcp port 80 host any</id>

                       </rule>

                     </access-list-id>

                   </access-list>

                 </config>

               </device>

             </devices>

    }

}

[ok][2017-09-30 10:06:45]

[edit devices device asa0 config access-list access-list-id Corona]

admin@ncs%

That's it - a small example   

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gschudel
Cisco Employee
Cisco Employee

‎10-02-2017 10:21 AM

I replied off-line to Ben, but for the benefit of others, I gave this as an "example" -- using ASA NETSIM...

** I have some rules and i want to "insert" a new one somewhere in the list. We can check CLI to see

how the NED wants to handle this...

admin@ncs% insert rule

Possible completions:

  <WORD>                                  - quoted rule beginning with: remark|standard|extended|webtype, followed by options (e.g. log|inactive). For example: "extended permit tcp any any" log

  remark - this is the inside out traffic -

  extended permit ip host 10.1.1.10 any   -

  extended permit ip host 10.1.1.12 any   -

  extended permit ip host 10.1.1.14 any   -

  remark - this is the hr admin address   -

  extended permit ip host 10.1.1.40 any   -

admin@ncs% insert rule "extended permit tcp port 80 host any" ?

Possible completions:

  after  before  first  last

admin@ncs% insert rule "extended permit tcp port 80 host any" before ?

Possible completions:

  remark - this is the inside out traffic

  extended permit ip host 10.1.1.10 any

  extended permit ip host 10.1.1.12 any

  extended permit ip host 10.1.1.14 any

  remark - this is the hr admin address       <---------let's pick this to "insert before" this remark...

  extended permit ip host 10.1.1.40 any 

admin@ncs% insert rule "extended permit tcp port 80 host any" before "remark - this is the hr admin address"

[ok][2017-09-30 10:06:37]

[edit devices device asa0 config access-list access-list-id Corona]

admin@ncs% commit dry-run

cli {

    local-node {

        data  devices {

                  device asa0 {

                      config {

                          asa:access-list {

                              access-list-id Corona {

             +                    # after rule "extended permit ip host 10.1.1.14 any"       <--- the NED decided this...

             +                    rule "extended permit tcp port 80 host any";

                              }

                          }

                      }

                  }

              }

    }

}

[ok][2017-09-30 10:06:40]

[edit devices device asa0 config access-list access-list-id Corona]

admin@ncs% commit dry-run outformat xml    <--------------- Look at the XML to see how...

result-xml {

    local-node {

        data <devices xmlns="http://tail-f.com/ns/ncs">

               <device>

                 <name>asa0</name>

                 <config>

                   <access-list xmlns="http://cisco.com/ned/asa">

                     <access-list-id>

                       <id>Corona</id>

                       <rule xmlns:yang="urn:ietf:params:xml:ns:yang:1"

                             xmlns:ncs="http://tail-f.com/ns/ncs"

                            yang:insert="after"

                             yang:key="[ncs:id='extended permit ip host 10.1.1.14 any']">

                         <id>extended permit tcp port 80 host any</id>

                       </rule>

                     </access-list-id>

                   </access-list>

                 </config>

               </device>

             </devices>

    }

}

[ok][2017-09-30 10:06:45]

[edit devices device asa0 config access-list access-list-id Corona]

admin@ncs%

That's it - a small example   

0 Helpful
Customers Also Viewed These Support Documents