Cisco ACL parser, how to correctly?

T

The3fon2020-08-19 18:42:11

Python

The3fon, 2020-08-19 18:42:11

Good afternoon! There is a problem in auditing large access lists from Cisco equipment. Here is an example (acl made up) :

object-group network AAAAAAAAAA
 network-object 10.150.198.24 255.0.0.0
 network-object 10.150.198.242 255.0.0.0
 network-object 10.150.198.243 255.0.0.0
 network-object 10.150.198.247 255.0.0.0
object-group network BBBBBBBBBBB
 network-object 10.150.2.17 255.0.0.0
 network-object 10.157.7.14 255.0.0.0
object-group service CCCCCCCCCCCCCC
 service-object udp destination eq tftp 
 service-object udp destination eq sip 
 service-object udp destination eq 9999
 service-object udp destination range 32768 61000 


access-list OUTSIDE-IN extended permit udp object-group AAAAAAAAAAobject-group BBBBBBBBBBB range 8000 65535 
access-list OUTSIDE-IN extended permit object-group BBBBBBBBBBB object-group AAAAAAAAAAobject-group CCCCCCCCCCCCCC

Questions:
1) How is the audit of such access lists going, if, for example, it exceeds 10,000 rules and 5,000 objects, maybe there is special software where I uploaded the entire config and built a diagram with interactions?

2) How to automatically insert network objects corresponding to them into the ACL in order to see a full-fledged rule without operating object-group? (PS tried using python and the ciscoconfigparser library, it didn’t work. The written code either matches only the first network-object from the object-group, and ignores the rest, or when adding a large number of checks, loops and sheets nested in dictionaries, it simply could not wait for completion )

spoiler

parse = CiscoConfParse(args.file, syntax='ios', factory=True)
print(parse)
dict = {}
for net_obj in parse.find_parents_w_child('^object-group',''):
  res = str(net_obj).split(' ')[2]                                # получаем название (id) объекта
  dict[res] = []
  print()
  print()
  print('!!!-----Найден объект: '+res+'--------------------')
  print('Объект содержит следующие правила:')
  for c_obj in parse.find_objects(res):
    for ccobj in c_obj.children:
      service_object = str(ccobj).split("'")[1]
      service_object = service_object.replace('service-object','')
      service_object = service_object.replace('network-object', '') #очищаем правило от лишних слов
      print(service_object)   #получаем чистую строку service object или network object
      dict[res].append(service_object)

 acl = []
 for acl_obj in parse.find_objects(r'access-list'):
   words = str(acl_obj).split()
   for i in dict.keys():
     if i in words:
       for key in dict[i]:
         if words.count('object-group') > 1:
             q = 0
             while(q<=len(words) - 1): # повторяем пока их не останется 0
               if words[q] == 'object-group' and words[q+1] != res: # если каждая итерация = искомой группе и не равна начальной, то выводим результат
                 otherobj = words[q+1]
                 for oth1 in parse.find_objects(otherobj):
                   for cc1 in oth1.children:
                     print(str(cc1).split("'")[1])
               q=q+1
 print(acl)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

iddqda, 2020-08-20
@The3fon

I don’t know how to do it right
. And I use batfish to analyze ACL,
and a self-written tool wrapper for the convenience of working with it
, in which I implemented only two functions I need
, proto) through the network or not and thanks to what rule
2. looks for ACEs that will never work
, buttfish can do it himself. It is enough to feed him the device configs and call the necessary functions
. And just checked. ObjectGroups he understands
here is an example:

S

sh76, 2021-04-27
@sh76

Utility for analyzing ACL cisco.
Understands object-group.
https://aclcheck.ru