Home > Cisco ASA, Cisco Routers, Cisco Switches > Cisco ACL Parser v0.04

Cisco ACL Parser v0.04

December 22nd, 2010

Greeting all,
Here is a new version of the ACL parser. I fixed a lot of issues with this script. The object groups are now expanded for the PIX and ASA. I have added the attributes for ACL entries for log level, time, and inactive state. I enhanced the remark feature also. The script was verified and test by Anthony, who contacted me after my initial public release v2. Anthony ran the script against an ASA 7.x with ACL that totals over 5000 lines. Here a quote from his response after testing:

“This is truly a parsing masterpiece. This did exactly what I needed and meets all of my requirements perfectly. Had no issues with any of the lines in the over 5000 lines of a single ACL that I ran through it, wonderful! Save me days of work! Seriously!!! Thanks a million. I know this wasn’t easy… especially since your script more than doubled!!”

I hope that you can use the script as well, I know this saves me a lot of time when auditing a router or firewall. In the next release I hope to add support for object groups with IOS ACL’s, and a column for description of how the ACL is applied. If you have any feedback please feel contact me anytime.

Well as luck would have it, there was a small spelling issue. I fixed the script and have here is the updated script.

  1. Anthony
    December 22nd, 2010 at 11:55 | #1

    Not much to say other than the above… thanks again for the script and keep up the good posts!

  2. NickB
    June 16th, 2011 at 04:17 | #2

    Hi Cody,

    I’ve just dowloaded your Cisco ACL Parser and I wanted to say thank you. It’s been of great use already simplifying an auditing task I needed to complete.

    There is one more thing that I’d really love it to do however and I thought I’d ask as it didn’t seem like it would be too complicated to implement; well for you at least!

    When constructing the output, would it be possible to optionally replace the names of hosts with their associated IP addresses (as per the names statements)? When troubleshooting issues this would save the step of having to lookup the name of the host when inspecting the ruleset as it is usually the IP address that I’m provided with.

    I’m not able to help with the programming but would be happy to test any changes against as many PIX/ASA versions as I can lay my hands on.

  3. June 16th, 2011 at 07:04 | #3

    The later versions do replace the name with IP. I have totally new version coming out soon, that does a far better job. If you would like a copy of the beta release, email me (cody AT melcara.com) and will send if over.

Comments are closed.