Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

Cisco ASA - Export rules

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


artur at css

Aug 19, 2008, 1:56 PM

Post #1 of 5 (2570 views)
Permalink
Cisco ASA - Export rules
Hi,

I would like to export the ASA rules to a HTML file (without using ASDM).

Does anyone know a way (script?) to parse the ACLs and export to HTML?


Tks
Artur

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


RTeller at deltadentalwa

Aug 19, 2008, 4:09 PM

Post #2 of 5 (2532 views)
Permalink
Re: Cisco ASA - Export rules [In reply to]
I use this script to parse my pix acls and export them to an excel file.

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Artur Renato
Araujo da Silva
Sent: Tuesday, August 19, 2008 1:57 PM
To: cisco-nsp [at] puck
Subject: [c-nsp] Cisco ASA - Export rules

Hi,

I would like to export the ASA rules to a HTML file (without using
ASDM).

Does anyone know a way (script?) to parse the ACLs and export to HTML?


Tks
Artur

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################


RTeller at deltadentalwa

Aug 19, 2008, 4:18 PM

Post #3 of 5 (2532 views)
Permalink
Re: Cisco ASA - Export rules [In reply to]
'Created by Robert Teller
WScript.Echo "This script will take a minute or two to run" & vbCrLf &
"Please be patient"

Const ForReading = 1

'Looks for CF acl query
WSArg = Wscript.arguments.Count

If WSArg <> 1 Then
WScript.Echo "Please select a valid source"
WScript.Quit
End If

PixACL = Wscript.arguments.Item(0)

set ObjExcel = createobject("excel.application")
Set FSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = FSO.OpenTextFile(PixACL, ForReading)

'Names excel file
EName = Split(WScript.ScriptName, ".")(0) & ".xls"
EName = Replace(WScript.ScriptFullName,WScript.ScriptName,EName)


'Text files for output
OFiles = Split(WScript.ScriptName, ".")(0) & ".xls"

If fso.FileExists(Ename) Then fso.DeleteFile(Ename)


ObjExcel.workbooks.Add
ObjExcel.Worksheets.Add.Name = "Main"

XRules = 0

For Each Sheet In ObjExcel.Worksheets
If sheet.name <> "Main" Then
sheet.usedrange.delete
sheet.delete
End If
Next


ObjExcel.Worksheets.Add.Name = "Rules"
ObjExcel.Worksheets("Rules").move ObjExcel.Sheets(2)
Rules "DMZ" ,"Line" ,"Action" ,"Protocol" ,"Source" ,"SrcPort"
,"dest" ,"DstPort" ,"HitC" ,"Inactive" ,"LogLevel" ,"LogInterval"
' ObjExcel.Worksheets("Rules").activate
' ObjExcel.Cells(1,1).value = "DMZ" 'acl_dmzname
' ObjExcel.Cells(1,2).value = "Line #" 'line ###
' ObjExcel.Cells(1,3).value = "Action" 'Permit/deny
' ObjExcel.Cells(1,4).value = "Protocol" 'ICMP/TCP/UDP
' ObjExcel.Cells(1,5).value = "Source"
' ObjExcel.Cells(1,6).value = "Destination"
' ObjExcel.Cells(1,7).value = "Port #" 'http/https.....
' ObjExcel.Cells(1,8).value = "Hit Count" 'hitcnt=...
' ObjExcel.Cells(1,9).value = "Inactive" 'hitcnt=...



Do Until objTextFile.AtEndOfStream
If IsEmpty(text) Then
Text = objTextFile.Readline
Text = Replace(Text,"access-list ","")
Else
Text = Text & objTextFile.Readline
End If
Loop


AclArray = Split(text,"access-list ")



x = 1
For Each AccessList In AclArray
'Make sure the line Is a valid acl
ACLCheck = Split(AccessList," ")
If UBound(ACLCheck) > 3 Then
If ACLCheck(3) <> "remark" Then
PixParse AccessList
End If
End If
Next

Sub PixParse(ACL)
'Converts object-group to Group
If InStr(ACL,"object-group") Then ACL =
Replace(ACL,"object-group","Group")

'Checks of ACL is inactive
If InStr(ACL," inactive ") Then
Inactive = True
ACL = Replace(ACL," inactive","")
End If

'Format and Remove logging information from variable Item
If InStrRev(ACL," log ") And InStrRev(ACL," interval ") Then
'Checks for matching log level
LoGLevelB = InStr(ACL," log ") + 5
LoGLevelE = InStr(LogLevelB,ACL, " ")
LogLevel = Mid(ACL,LogLevelB,LogLevelE - LogLevelB)


LogIntervalB = InStr(LogLevelE,ACL, " interval ") + 10
LogIntervalE = InStr(LogIntervalB,ACL, " ")
LogInterval = Mid(ACL,LogIntervalB, LogIntervalE -
LogIntervalB)

ACL = Replace(ACL," log " & Loglevel & " interval " &
logInterval," ")
End If

'########### DMZ ###########
DMZ = InStr(ACL," ")
DMZ = Left(ACL,DMZ)
'########### DMZ ###########

'########### Line ###########
LineB = InStr(ACL," line ") + 6
LineE = InStr(LineB,ACL, " ")
Line = "Line " & Mid(ACL,LineB, LineE - LineB)
'########### Line ###########

'########### Action ###########
If InStr(ACL,"deny") Then
Action = "Deny"
ElseIf InStr(ACL,"permit") Then
Action = "Permit"
Else
Action = "Other"
End If
'########### Action ###########

'########### Protocol ###########
Protocol = Split(ACL," ")(5)
'########### Protocol ###########

'########### Src Host ###########
'Determine if src is Host,Subnet or Any
SrcHost = Split(ACL," ")(6)
Select Case SrcHost
Case "host"
SourceB = InStr(ACL, " host ") + 6
SourceE = InStr(SourceB,ACL, " ")
Source = "Host " & Mid(ACL, SourceB,
SourceE - SourceB)
Case "Group"
SourceB = InStr(ACL, " Group ") + 7
SourceE = InStr(SourceB,ACL, " ")
Source = "Group " & Mid(ACL, SourceB,
SourceE - SourceB)
Case "any"
Source = "Any"
SourceE = InStr(ACL,SrcHost) +
Len(SrcHost)
Case Else
SourceB = InStr(ACL, SrcHost)
SourceE = InStr(SourceB, ACL, " ") + 1
SourceE = InStr(SourceE, ACL, " ")
Source = Mid(ACL, SourceB, SourceE -
SourceB)
End Select
'########### Src Host ###########

'########### Src Port ###########
If Source = "Any" Then
If Split(ACL," ")(7) = "eq" Then
SrcPortB = InStr(SourceE, ACL, " eq ") + 4
SrcPortE = InStr(SrcPortB, ACL, " ")
SrcPort = "eq " & Mid(ACL,SrcPortB, SrcPortE -
SrcPortB)
ElseIf Split(ACL," ")(7) = "range" Then
SrcPortB = InStr(SourceE, ACL, " range ") + 7
SrcPortE = InStr(SrcPortB, ACL, " ") +1
SrcPortE = InStr(SrcPortE, ACL, " ")
SrcPort = "range " & Mid(ACL,SrcPortB, SrcPortE
- SrcPortB)
Else
SrcPortE = SourceE
SrcPort = "Any"
End If
ElseIf Split(ACL," ")(8) = "eq" Or Split(ACL," ")(8) = "range"
Then
If Split(ACL," ")(8) = "eq" Then
SrcPortB = InStr(SourceE, ACL, " eq ") + 4
SrcPortE = InStr(SrcPortB, ACL, " ")
SrcPort = "eq " & Mid(ACL,SrcPortB, SrcPortE -
SrcPortB)
ElseIf Split(ACL," ")(8) = "range" Then
SrcPortB = InStr(SourceE, ACL, " range ") + 7
SrcPortE = InStr(SrcPortB, ACL, " ") +1
SrcPortE = InStr(SrcPortE, ACL, " ")
SrcPort = "range " & Mid(ACL,SrcPortB, SrcPortE
- SrcPortB)
End If
Else
SrcPortE = SourceE
SrcPort = "Any"
End If
'########### Src Port ###########

'########### Dst Host ###########
'Check if source ports are used
If SourceE = SrcPortE Then
'Determine if dst is Host,Subnet or Any
If Source = "Any" Then
DstHost = Split(ACL," ")(7)
Select Case DstHost
Case "host"
DestB = InStr(SrcPortE,ACL, "
host ") + 6
DestE = InStr(DestB,ACL, " ")
Dest = "Host " & Mid(ACL, DestB,
DestE - DestB)
Case "Group"
DestB = InStr(SrcPortE,ACL, "
Group ") + 7
DestE = InStr(DestB,ACL, " ")
Dest = "Group " & Mid(ACL,
DestB, DestE - DestB)
Case "any"
Dest = "Any"
DestE =
InStr(SrcPortE,ACL,DstHost) + Len(DstHost)
Case Else
DestB = InStr(SrcPortE,ACL,
DstHost)
DestE = InStr(DestB, ACL, " ") +
1
DestE = InStr(DestE, ACL, " ")
Dest = Mid(ACL, DestB, DestE -
DestB)
End Select
Else'If Left(Source,4) = "Host" Then
DstHost = Split(ACL," ")(8)
Select Case DstHost
Case "host"
DestB = InStr(SrcPortE,ACL, "
host ") + 6
DestE = InStr(DestB,ACL, " ")
Dest = "Host " & Mid(ACL, DestB,
DestE - DestB)
Case "Group"
DestB = InStr(SrcPortE,ACL, "
Group ") + 7
DestE = InStr(DestB,ACL, " ")
Dest = "Group " & Mid(ACL,
DestB, DestE - DestB)
Case "any"
Dest = "Any"
DestE =
InStr(SrcPortE,ACL,DstHost) + Len(DstHost)
Case Else
DestB = InStr(SrcPortE,ACL,
DstHost)
DestE = InStr(DestB, ACL, " ") +
1
DestE = InStr(DestE, ACL, " ")
Dest = Mid(ACL, DestB, DestE -
DestB)
End Select
End If
End If

If SourceE <> SrcPortE Then
DestB = InStr(SrcPortE, ACL, " ") + 1
DestE = InStr(DestB,ACL, " ")
DstHost = Mid(ACL,DestB, DestE - DestB)
Select Case DstHost
Case "host"
DestB = InStr(DestE,ACL, " ") +
1
DestE = InStr(DestB,ACL, " ")
Dest = "Host " & Mid(ACL, DestB,
DestE - DestB)
DestE = DestE - 1
Case "Group"
DestB = InStr(DestE,ACL, " ") +
1
DestE = InStr(DestB,ACL, " ")
Dest = "Group " & Mid(ACL,
DestB, DestE - DestB)
DestE = DestE - 1
Case "any"
'
If DMZ = "acl_guest " Then
'
WScript.Echo "DST HOST"
'
WScript.Echo DestE & vbTab & Len(DstHost)
'
Test = InStr(DestE,ACL,DstHost)
'
WScript.Echo Test
'
End If
Dest = "Any"
'DestE =
InStr(DestE,ACL,DstHost) + Len(DstHost)
Case Else
DestB = InStr(DestE,ACL,
DstHost)
DestE = InStr(DestB, ACL, " ") +
1
DestE = InStr(DestE, ACL, " ")
Dest = Mid(ACL, DestB, DestE -
DestB)
End Select
End If
'########### Dst Host ###########

'########### Hit Count ###########
If InStr(ACL,"(hitcnt=") Then
HitB = InStr(ACL,"(hitcnt=") + 8
HitE = InStr(ACL, ")")
HitC = Mid(ACL,HitB,HitE - HitB)
HitB = HitB - 8
Else
HitB = InStrRev(ACL," ")
HitC = "N/A"
End If
'########### Hit Count ###########

'########### Dst Port ###########
DstPortB = DestE + 1
DstPortE = HitB
DstPort = Mid(ACL,DstPortB, DstPortE - DstPortB)
'
If DMZ = "acl_guest " Then
'
WScript.Echo DstPortB & vbTab & DstPortE
'
End If
If IsEmpty(DstPort) Then DstPort = "Any"
If IsNull(DstPort) Then DstPort = "Any"
'########### Dst Port ###########

'wscript.echo DMZ & vbtab & Line & vbtab & Action & vbtab &
Protocol & vbtab & Source & vbtab & SrcPort & vbtab & dest & vbtab &
DstPort & vbtab & HitC & vbtab & Inactive & vbtab & LogLevel & vbtab
& LogInterval
Rules DMZ, Line ,Action ,Protocol ,Source ,SrcPort ,dest
,DstPort ,HitC ,Inactive ,LogLevel ,LogInterval

LogIntervalB = Null
LogIntervalE = Null
LogInterval = Null
LogLevelB = Null
LogLevelE = Null
LogLevel = Null
DMZ = Null
Action = Null
Port = Null
PortB = Null
PortE = Null
SrcHost = Null
SourceB = Null
SourceE = Null
Source = Null
SrcPortB = Null
SrcPortE = Null
SrcPort = Null
DstHost = Null
DestB = Null
DestE = Null
Dest = Null
DstPortB = Null
DstPortE = Null
DstPort = Null
HitB = Null
HitE = Null
HitC = Null
Inactive = False
End Sub


Sub Rules(DMZ, Line ,Action ,Protocol ,Source ,SrcPort ,dest ,DstPort
,HitC ,Inactive ,LogLevel ,LogInterval)
XRules = 1 + XRules
ObjExcel.Worksheets("Rules").activate
ObjExcel.Cells(XRules,1).value = DMZ 'DMZ Rule is
applied to
ObjExcel.Cells(XRules,2).value = Line 'Line Number
ObjExcel.Cells(XRules,3).value = Action 'Action
ObjExcel.Cells(XRules,4).value = Protocol 'Protocol
ObjExcel.Cells(XRules,5).value = Source 'Source
ObjExcel.Cells(XRules,6).value = SrcPort 'Source port
ObjExcel.Cells(XRules,7).value = dest 'Destination
ObjExcel.Cells(XRules,8).value = DstPort 'Destination
Port
ObjExcel.Cells(XRules,9).value = HitC 'Hit Count
ObjExcel.Cells(XRules,10).value = Inactive 'status of
rule
ObjExcel.Cells(XRules,11).value = LogLevel 'logging
level
ObjExcel.Cells(XRules,12).value = LogInterval 'Logging
Interval
End Sub

finish

Sub finish
objTextFile.Close
ObjExcel.Worksheets("Main").usedrange.delete
ObjExcel.Worksheets("Main").delete
For Each Sheet In ObjExcel.Worksheets
ObjExcel.Worksheets(Sheet.Name).activate
ObjExcel.Worksheets(sheet.name).Rows(1).Font.Bold = True
ObjExcel.Worksheets(sheet.name).Rows(1).AutoFilter

ObjExcel.Worksheets(sheet.name).Rows(1).HorizontalAlignment = -4108

ObjExcel.Worksheets(sheet.name).usedrange.EntireColumn.AutoFit()
ObjExcel.Worksheets(sheet.name).Range("B2").Select
ObjExcel.ActiveWindow.FreezePanes = True
ObjExcel.Worksheets(sheet.name).Range("A1").Select
Next
ObjExcel.Worksheets("Rules").activate
ObjExcel.activeworkbook.saveas EName
ObjExcel.activeworkbook.close
ObjExcel.Quit

WScript.Echo "END"

WScript.Quit
End Sub

#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


christian at broknrobot

Aug 19, 2008, 4:35 PM

Post #4 of 5 (2525 views)
Permalink
Re: Cisco ASA - Export rules [In reply to]
you could use nipper, which is a config auditor, so it will audit your
security policy and configuration, and you have the options to export
to xml, html, etc ..

http://sourceforge.net/projects/nipper/?abmode=1



On Tue, Aug 19, 2008 at 4:56 PM, Artur Renato Araujo da Silva
<artur [at] css> wrote:
> Hi,
>
> I would like to export the ASA rules to a HTML file (without using ASDM).
>
> Does anyone know a way (script?) to parse the ACLs and export to HTML?
>
>
> Tks
> Artur
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


cchurc05 at harris

Aug 19, 2008, 6:44 PM

Post #5 of 5 (2532 views)
Permalink
Re: Cisco ASA - Export rules [In reply to]
In ASDM, there is a button under file called "Show running configuration
in a new window". That opens up a browser window with a URL something
like:
https://X.Y.Z.6/admin/exec/show%20running-config/show%20running-config%2
0asdm# that shows the whole running config.

Probably nothing you couldn't get from an ssh session or expect script.
Use Grep or find on "access-list" and that should be it.

Chuck

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Artur Renato
Araujo da Silva
Sent: Tuesday, August 19, 2008 4:57 PM
To: cisco-nsp [at] puck
Subject: [c-nsp] Cisco ASA - Export rules


Hi,

I would like to export the ASA rules to a HTML file (without using
ASDM).

Does anyone know a way (script?) to parse the ACLs and export to HTML?


Tks
Artur

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.