Having some problems figuring out how to do this. I have a file that has a template config for my network routers and in this config is a list of my access lists. I need help finding a way to verify if a single ip or a range along with the port allowed is in the list. My biggest issue is the range portion, if someone wants to verify if ip block 10.164.98.0/24 for port snmp exists, it should not, because only 10.164.98.0 0.0.0.63 is in there.
Here is a sample of a portion of my config template. I have many more lists, but this sample shows a part of everything.
!
ip access-list access
seq 30 permit udp 20.141.192.64 0.0.0.15 any range 1645 1813
seq 40 permit udp 10.164.62.0 0.0.0.255 any eq snmp
seq 50 permit udp 10.37.184.0 0.0.0.255 any eq snmptrap
seq 60 permit udp 10.155.183.32 0.0.0.15 any eq snmp
seq 70 permit udp 192.16.187.64 0.0.0.63 any eq snmp
seq 80 permit udp host 10.164.62.4 any eq tftp
seq 90 permit udp host 10.94.156.17 any eq ntp
seq 100 permit tcp host 172.16.104.14 any eq telnet
seq 110 permit tcp host 10.36.167.122 any eq telnet
seq 120 permit tcp 10.109.246.0 0.0.0.255 any eq telnet
seq 130 permit tcp 10.214.68.0 0.0.3.255 any eq telnet
seq 140 permit tcp 10.214.81.0 0.0.0.127 any eq telnet
!
ip access-list prep-in
seq 10 permit tcp any host 10.158.80.10 eq www
seq 20 permit tcp any host 10.158.80.10 eq 443
seq 30 permit tcp any host 10.94.110.11 eq www
seq 40 permit tcp any host 10.94.110.11 eq 443
seq 50 permit tcp any host 10.150.104.201 eq www
seq 60 permit tcp any 10.186.176.0 0.0.15.255 eq www
seq 70 permit tcp any 10.193.112.192 0.0.0.15 eq www
seq 80 permit tcp any 10.193.112.192 0.0.0.15 eq 443
seq 90 permit ip any host 10.73.20.20
seq 100 permit ip any host 10.155.117.176
!
ip access-list mail
seq 30 permit tcp any 10.164.98.0 0.0.0.63 eq smtp
seq 40 permit tcp any 10.163.168.176 0.0.0.15 eq smtp
seq 50 permit tcp any 10.163.170.80 0.0.0.7 eq smtp
seq 60 permit tcp any host 10.163.171.137 eq smtp
seq 70 permit tcp any host 10.163.171.161 eq smtp
The only solution I could think of was to extract all the ip's and ports in the access-list's and print every ip out in a file. Then I can search for whatever ip or block I wish.
If anyone has a suggestion, please let me know.
#!/bin/bash
### Script to search existing acl templates
### Grab the template and remove html coding
TEMPLATE1=/export/htdocs/secure/Template.html
cat $TEMPLATE1 | nawk 'BEGIN {RS="!"}{ORS="!"}{if ($2 ~ /'access-list'/) print $0;}' |\
sed 's/<br>//g' | egrep -v "any any|icmp any|ip any" > template
### The next two lines grab all acl lines which has an ip block not a single host
nawk '{if ($6 ~ /'^[0-9][0-9]'/ && $7 ~ /'^[0-9]'/) print $6" "$7" "$9}' template > input_file
nawk ' $5 ~ "^[0-9][0-9]" { print $5" "$6" "$9 }' template >> input_file
### The next line empties any previous entries in the output_file.txt
cat /dev/null > output_file.txt
### The next section takes the input_file that has ip blocks and runs each block through
### ipcalc giving the starting and ending ip address. Then prints to the output_file.txt
### every ip associated with that block along with the port number allowed
while read line
do
one=`echo $line | awk ' { print $1; } '`
two=`echo $line | awk ' { print $2; } '`
port=`echo $line | awk ' { print $3; } '`
address=`ipcalc $one $two | egrep "Address" | awk '{ print $2 }' | cut -f 1 -d "/"`
echo "$address"".""$port" > input_file1
broadcast=`ipcalc $one $two | egrep "Broadcast" | awk '{ print $2 }' | cut -f 1 -d "/"`
echo "$broadcast"".""$port" >> input_file1
awk -F"." '{ if(NR==1){ for(i=$4;i<=254;i++) print $1"."$2"."$3"."i" "$5 >> "output_file.txt" } else \
{ for(i=1;i<=$4;i++) print $1"."$2"."$3"."i" "$5 >> "output_file.txt" }} ' input_file1
done < input_file
### The next section takes the single host ips listed in the acl template and adds them to the output_file.txt
nawk '{if ($1 ~ /'seq'/ && $5 ~ /'host'/) print $6" "$9;}' template >> output_file.txt
nawk '{if ($1 ~ /'seq'/ && $6 ~ /'host'/) print $7"."$9;}' template >> output_file.txt
sort -on output_file.txt output_file.txt