Morning,

Im trying to parse all config related to specific vpns on an ASA.

Ive got it working mostly, however I need to remember how to use sed to pulkl output between lines. I need two bits:

first
I need to to pull the config of object groups from the ACL lines. Each ACL line has two object-groups, a source and a destination.
The problem is that the ACL's may be longer than one line, so I need to store the ACL in an array, then loop through it to pull each object-group config. The ACLs can be grepped without issue, I just don't know how to store each line, then loop through for the second part.

The second problem, is that the object-groups may have more than item in the line below the object group name that I pulled with AWK, so I need it to start at the object group name, and show all lines until the next object group, for both Object groups in the ACL line, for every line in the ACL.

Like It kind of works for a one liner - but I need to get this working on ACL's of any length, as well as object groups that are of any length. There is another problem, in that there are also "network objects" that can be part of acl's on newer firewalls, but we can fight that war once we win the battle below.

e.g. VPNMAP 1, here is all the config I want to pull:
________________________________________________
!ASA CONFIG
crypto map VPNMAP 1 match address ACL_VPN_01
crypto map VPNMAP 1 set peer 1.1.1.1
crypto map VPNMAP 1 set transform-set ESP-3DES-SHA

access-list ACL_VPN_01 extended permit ip object-group OBJG_SOURCE1 object-group OBJG_DEST1
access-list ACL_VPN_01 extended permit ip object-group OBJG_SOURCE2 object-group OBJG_DEST2

object-group network OBJG_SOURCE1
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0

object-group network OBJG_DEST1
network-object 10.100.0.0 255.255.0.0

object-group network OBJG_SOURCE2
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0

object-group network OBJG_DEST2
network-object 10.101.0.0 255.255.0.0

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

____________________________
here is the script so far, the ASA config being called HEXASA.log

#!/bin/bash
echo "Enter VPNMAP NUMBER, followed by[ENTER]:"
read VPNMAPNUMBER
cat HEXASA.log | grep "VPNMAP $VPNMAPNUMBER"
acl=$(cat HEXASA.log | grep "VPNMAP $VPNMAPNUMBER match address" | awk {'print $7'})
echo $vpnmap
peer=$(cat HEXASA.log | grep "VPNMAP $VPNMAPNUMBER set peer" | awk {'print $7'})
#echo $acl
aclconfig=$(cat HEXASA.log | grep "access-list $acl")
echo $aclconfig
objgroup1=$(cat HEXASA.log | echo $aclconfig | awk {'print $7}')
echo $objgroup1
objgroup2=$(cat HEXASA.log | echo $aclconfig | awk {'print $9}')
echo $objgroup2
cat HEXASA.log | grep -A10 "object-group network $objgroup1"
echo " "
cat HEXASA.log | grep -A10 "object-group network $objgroup2"
echo " "
cat HEXASA.log | grep -A3 "tunnel-group $peer"


As you can see, im just using a huge "A" value of 10 to get all the lines after this.
once we are cool here - we need to figure out how to enumerate network objects that are nested in object groups.... IF...FI .... functions etc
I may have been able to pull this off in 2008, but I dont touch the linux much these days
Any help would be greatly appreciated

Firstly, please use [code][/code] tags around code or data as it makes it much easier to read and follow.

I do have some questions/comments:

1. you say - "e.g. VPNMAP 1, here is all the config I want to pull:" - to me this is the data you want, problem is we don't know what you started with so have no idea how to get here (except your code which you have already admitted is not working 100%)

2. cat is not required on any line where you have used it and on those lines where you have grep and awk, you can remove the grep as well

The rest will need to wait until there is some data to work from?