Skip to content

Commit

Permalink
Updated cisco asa show access-list support with:
Browse files Browse the repository at this point in the history 
- IPv6 entry support issue networktocode#1241
- Fixed icmp traceroute option issue networktocode#1242
  • Loading branch information
@pertoft
pertoft committed Dec 14, 2022
1 parent 8eb554c commit e9e4342
Show file tree
Hide file tree
Showing 3 changed files with 528 additions and 10 deletions.
10 changes: 6 additions & 4 deletions ntc_templates/templates/cisco_asa_show_access-list.textfsm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,20 +35,22 @@ Value ENTRY_PROTOCOL ([a-z\-]+)
Value ENTRY_SRC_FQDN (\S+)
Value ENTRY_SRC_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_HOST (\S+)
Value ENTRY_SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_NETWORK6 (\S+)
Value ENTRY_SRC_ANY (any[46]{0,1})
Value ENTRY_SRC_FQDN_STATE (unresolved)
Value ENTRY_DST_FQDN (\S+)
Value ENTRY_DST_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_HOST (\S+)
Value ENTRY_DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_NETWORK6 (\S+)
Value ENTRY_DST_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_ANY (any[46]{0,1})
Value ENTRY_DST_FQDN_STATE (unresolved)
Value ENTRY_ICMP_TYPE (echo-reply|unreachable|echo|time-exceeded)
Value ENTRY_ICMP_TYPE (echo-reply|unreachable|echo|time-exceeded|traceroute)
Value ENTRY_ICMP_CODE (\d+)
Value ENTRY_PORT ([a-z\-]+\s+\d+|[\w\-]+)
Value ENTRY_PORT_LESS_THAN ([a-z\-]+\s+\d+|\w+)
Expand All @@ -63,8 +65,8 @@ Start
^access\-list\s+${ACL_NAME};\s+${ACL_TOT_ELEM}\s+elements;\s+name\s+hash:\s+${ACL_NAME_HASH}\s* -> Record
^access-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+remark\s+${REMARK}\s*$$ -> Record
^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+${TYPE}\s+${ACTION}\s+(object\-group\s+${SVC_OBJECT_GRP}|object\s+${SVC_OBJECT}|${PROTOCOL})\s+(interface\s+${SRC_INTFC}|object\-group\s+${SRC_OBJECT_GRP}|object\s+${SRC_OBJECT}|host\s+${SRC_HOST}|${SRC_NETWORK}\s+${SRC_MASK}|${SRC_ANY})\s+(interface\s+${DST_INTFC}|object\-group\s+${DST_OBJECT_GRP}|object\s+${DST_OBJECT}|host\s+${DST_HOST}|${DST_NETWORK}\s+${DST_MASK}|${DST_ANY})\s+((eq\s+${DST_PORT}|object\-group\s+${DST_PORT_GRP}|object\s+${DST_PORT_OBJECT})\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}((log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default))\s+){0,1}(${STATE}\s+){0,1}\(hitcnt=${HIT_COUNT}\)\s+(\(inactive\)\s+){0,1}${LINE_HASH}\s* -> Record
^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+${ENTRY_PROTOCOL_ICMP}\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}(fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_ANY})\s+(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}(log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(${ENTRY_PROTOCOL}\s+){0,1}(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}((fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_ANY})\s+){0,1}(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}((eq\s+${ENTRY_PORT}|lt\s+${ENTRY_PORT_LESS_THAN}|gt\s+${ENTRY_PORT_GREATER_THAN}|range\s+${ENTRY_PORT_RANGE_START}\s+${ENTRY_PORT_RANGE_END})\s+){0,1}(log\s+([a-z0-9]+\s+interval\s+\d+|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+${ENTRY_PROTOCOL_ICMP}\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_NETWORK6}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}(fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_NETWORK6}|${ENTRY_DST_ANY})\s+(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}(log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(${ENTRY_PROTOCOL}\s+){0,1}(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_NETWORK6}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}((fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_NETWORK6}|${ENTRY_DST_ANY})\s+){0,1}(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}((eq\s+${ENTRY_PORT}|lt\s+${ENTRY_PORT_LESS_THAN}|gt\s+${ENTRY_PORT_GREATER_THAN}|range\s+${ENTRY_PORT_RANGE_START}\s+${ENTRY_PORT_RANGE_END})\s+){0,1}(log\s+([a-z0-9]+\s+interval\s+\d+|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+\((hitcnt=${ENTRY_HIT_COUNT})\)\s+${ENTRY_HASH}\s* -> Record
^.* -> Error "Did not match any rules"

Expand Down
6 changes: 6 additions & 0 deletions tests/cisco_asa/show_access-list/cisco_asa_show_access-list.raw
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,10 @@ access-list test line 31 extended permit icmp any4 169.254.147.0 255.255.0.0 tim
access-list test line 32 extended permit icmp any4 169.254.151.0 255.255.0.0 echo (hitcnt=0) 0x0f3edcdd
access-list test line 33 extended permit icmp any4 169.254.151.0 255.255.0.0 unreachable (hitcnt=0) 0x7887741b
access-list test line 34 extended permit icmp any4 169.254.151.0 255.255.0.0 time-exceeded (hitcnt=0) 0x480bef5c
access-list test line 34 extended permit icmp any4 169.254.151.0 255.255.0.0 traceroute (hitcnt=0) 0x480bef5c
access-list test line 35 extended deny icmp any any (hitcnt=3) 0xff7fd0ca
access-list test line 36 extended permit udp object-group netic-monitor object-group test-subnets object-group test-services (hitcnt=163176) 0xfb290ba6
access-list test line 36 extended permit udp 2001.db8:0:f159::/64 169.254.152.0 255.255.255.128 eq ntp (hitcnt=0) 0xc01192ad
access-list test line 36 extended permit udp 2001.db8:0:f159::/64 169.254.152.0 255.255.255.128 eq snmp (hitcnt=0) 0xae3c968e
access-list test line 36 extended permit udp 169.254.151.0 255.255.255.240 169.254.152.0 255.255.255.128 eq ntp (hitcnt=163144) 0xc154ab9c
access-list test line 36 extended permit udp 169.254.151.0 255.255.255.240 169.254.152.0 255.255.255.128 eq snmp (hitcnt=32) 0xea2f0967
Loading

0 comments on commit e9e4342

Please sign in to comment.