Text file processing, using bash script for grabbing all relevant VPN config from ASA
Morning,
Im trying to parse all config related to specific vpns on an ASA.
Ive got it working mostly, however I need to remember how to use sed to pulkl output between lines. I need two bits:
first
I need to to pull the config of object groups from the ACL lines. Each ACL line has two object-groups, a source and a destination.
The problem is that the ACL's may be longer than one line, so I need to store the ACL in an array, then loop through it to pull each object-group config. The ACLs can be grepped without issue, I just don't know how to store each line, then loop through for the second part.
The second problem, is that the object-groups may have more than item in the line below the object group name that I pulled with AWK, so I need it to start at the object group name, and show all lines until the next object group, for both Object groups in the ACL line, for every line in the ACL.
Like It kind of works for a one liner - but I need to get this working on ACL's of any length, as well as object groups that are of any length. There is another problem, in that there are also "network objects" that can be part of acl's on newer firewalls, but we can fight that war once we win the battle below.
e.g. VPNMAP 1, here is all the config I want to pull:
________________________________________________
!ASA CONFIG
crypto map VPNMAP 1 match address ACL_VPN_01
crypto map VPNMAP 1 set peer 1.1.1.1
crypto map VPNMAP 1 set transform-set ESP-3DES-SHA
access-list ACL_VPN_01 extended permit ip object-group OBJG_SOURCE1 object-group OBJG_DEST1
access-list ACL_VPN_01 extended permit ip object-group OBJG_SOURCE2 object-group OBJG_DEST2
object-group network OBJG_SOURCE1
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
object-group network OBJG_DEST1
network-object 10.100.0.0 255.255.0.0
object-group network OBJG_SOURCE2
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
object-group network OBJG_DEST2
network-object 10.101.0.0 255.255.0.0
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
____________________________
here is the script so far, the ASA config being called HEXASA.log
#!/bin/bash
echo "Enter VPNMAP NUMBER, followed by[ENTER]:"
read VPNMAPNUMBER
cat HEXASA.log | grep "VPNMAP $VPNMAPNUMBER"
acl=$(cat HEXASA.log | grep "VPNMAP $VPNMAPNUMBER match address" | awk {'print $7'})
echo $vpnmap
peer=$(cat HEXASA.log | grep "VPNMAP $VPNMAPNUMBER set peer" | awk {'print $7'})
#echo $acl
aclconfig=$(cat HEXASA.log | grep "access-list $acl")
echo $aclconfig
objgroup1=$(cat HEXASA.log | echo $aclconfig | awk {'print $7}')
echo $objgroup1
objgroup2=$(cat HEXASA.log | echo $aclconfig | awk {'print $9}')
echo $objgroup2
cat HEXASA.log | grep -A10 "object-group network $objgroup1"
echo " "
cat HEXASA.log | grep -A10 "object-group network $objgroup2"
echo " "
cat HEXASA.log | grep -A3 "tunnel-group $peer"
As you can see, im just using a huge "A" value of 10 to get all the lines after this.
once we are cool here - we need to figure out how to enumerate network objects that are nested in object groups.... IF...FI .... functions etc
I may have been able to pull this off in 2008, but I dont touch the linux much these days
Any help would be greatly appreciated
Last edited by contra04; 11-05-2014 at 05:57 AM.
Reason: wrong script number
|