Skip to content

Commit

Permalink
784-cisco_asa_show_running-config_all_crypto_map.textfsm (networktoco…
Browse files Browse the repository at this point in the history 
…de#883)
  • Loading branch information
@diepes @cppmonkey
diepes authored and cppmonkey committed Oct 25, 2023
1 parent 627803b commit 5342cb4
Show file tree
Hide file tree
Showing 4 changed files with 314 additions and 15 deletions.
31 changes: 27 additions & 4 deletions templates/cisco_asa_show_running-config_all_crypto_map.textfsm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,48 @@ Value CONNECTION_TYPE (\S+)
Value Required MAP (\S+)
Value Required SEQ (\d+)
Value PFS (group\d|\s*)
Value Required PEER (\S+)
Value PEER (\S+)
Value IKEv1_PHASE1_MODE (\S+)
Value IKEv1_TRANSFORM_SET (\S+(\s\S+)*?)
Value IKEv2_MODE (\S+)
Value ISAKMP_DYNAMIC (\S+)
Value Fillup INTERFACE (\S+)
Value TRANSFORM (\S+)
Value SA (\d+)
Value SA_SEC (\d+)
Value SA_KB (\d+)
Value TFC_PACKETS (\S\S)

Start
# Value's address , start of block
^crypto\smap\s${MAP}\s${SEQ}\smatch\saddress\s${MATCHED_ADDRESS}\s*$$ -> ReadBlockLines
^. -> Error

ReadBlockLines
#1 Fake start, block "match address" to trigger recording of current block
^crypto\s+map\s\S+\s\d+\s+match\s+address\s\S+\s*$$ -> Continue.Record
#1 Real capture of "match address" start of new record
^crypto\smap\s${MAP}\s${SEQ}\smatch\saddress\s${MATCHED_ADDRESS}\s*$$
#
^crypto\smap\s${MAP}\s${SEQ}\sset\sconnection-type\s${CONNECTION_TYPE}\s*$$
^crypto\smap\s${MAP}\s${SEQ}\sset\spfs\s${PFS}\s*$$
^crypto\smap\s${MAP}\s${SEQ}\sset\speer\s${PEER}\s*$$
^crypto\smap\s${MAP}\s${SEQ}\sset\sikev1\sphase1-mode\s${IKEv1_PHASE1_MODE}\s*$$
^crypto\smap\s${MAP}\s${SEQ}\sset\sikev1\stransform-set\s${IKEv1_TRANSFORM_SET}\s*$$
^crypto\smap\s${MAP}\s${SEQ}\sset\sikev2\smode\s${IKEv2_MODE}\s*$$
# SA Second/Byte alone or in different combinations
^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\sseconds\s${SA_SEC}\s*$$
^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\skilobytes\s${SA_KB}\s*$$
^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\skilobytes\s${SA_KB}\sseconds\s${SA_SEC}\s*$$
^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\sseconds\s${SA_SEC}\skilobytes\s${SA_KB}\s*$$
#2 Fake start, block "match address" to trigger recording of current block
^crypto\s+map\s\S+\s\d+\sipsec-isakmp\sdynamic\s${ISAKMP_DYNAMIC}\s*$$ -> Continue.Record
#2 Real capture of "match address" start of new record
^crypto\smap\s${MAP}\s${SEQ}\sipsec-isakmp\sdynamic\s${ISAKMP_DYNAMIC}\s*$$
^no\scrypto\smap\s${MAP}\s${SEQ}\sset\stfc-packets\s*$$ -> Record
#
#3 no crypto map only at end of each block, if unset (add -> Record for safety)
^${TFC_PACKETS}\scrypto\smap\s${MAP}\s${SEQ}\sset\stfc-packets\s*$$ -> Record
#4 Interface only after multiple blocks, FillUp
^crypto\smap\s${MAP}\sinterface\s${INTERFACE}\s*$$
^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\sseconds\s${SA}\s*$$
#
^\s*$$
^. -> Error
55 changes: 44 additions & 11 deletions ...o_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ parsed_sample:
isakmp_dynamic: ""
interface: "WAN1"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_RU11"
connection_type: "bidirectional"
map: "WAN1_CMAP"
Expand All @@ -25,7 +27,9 @@ parsed_sample:
isakmp_dynamic: ""
interface: "WAN1"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_RU12"
connection_type: "bidirectional"
map: "WAN1_CMAP"
Expand All @@ -38,7 +42,9 @@ parsed_sample:
isakmp_dynamic: ""
interface: "WAN1"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_RU17"
connection_type: "bidirectional"
map: "WAN1_CMAP"
Expand All @@ -51,7 +57,9 @@ parsed_sample:
isakmp_dynamic: ""
interface: "WAN1"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_FR_TEST_VPN"
connection_type: "bidirectional"
map: "WAN1_CMAP"
Expand All @@ -64,7 +72,24 @@ parsed_sample:
isakmp_dynamic: ""
interface: "WAN1"
transform: ""
sa: "3600"
sa_sec: "3600"
sa_kb: ""
tfc_packets: "no"
- matched_address: ""
connection_type: ""
map: "WAN1_CMAP"
seq: "65535"
pfs: ""
peer: ""
ikev1_phase1_mode: ""
ikev1_transform_set: ""
ikev2_mode: ""
isakmp_dynamic: "SYSTEM_DEFAULT_CRYPTO_MAP"
interface: "WAN1"
transform: ""
sa_sec: ""
sa_kb: ""
tfc_packets: ""
- matched_address: "CMAP_RU17"
connection_type: "bidirectional"
map: "S2S_CMAP"
Expand All @@ -74,10 +99,12 @@ parsed_sample:
ikev1_phase1_mode: "main"
ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA"
ikev2_mode: "tunnel"
isakmp_dynamic: "SYSTEM_DEFAULT_CRYPTO_MAP"
interface: "WAN1"
isakmp_dynamic: ""
interface: "S2SVPN"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_RU12"
connection_type: "bidirectional"
map: "S2S_CMAP"
Expand All @@ -90,7 +117,9 @@ parsed_sample:
isakmp_dynamic: ""
interface: "S2SVPN"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_RU11"
connection_type: "bidirectional"
map: "S2S_CMAP"
Expand All @@ -103,7 +132,9 @@ parsed_sample:
isakmp_dynamic: ""
interface: "S2SVPN"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
- matched_address: "CMAP_RU16"
connection_type: "bidirectional"
map: "S2S_CMAP"
Expand All @@ -116,4 +147,6 @@ parsed_sample:
isakmp_dynamic: ""
interface: "S2SVPN"
transform: ""
sa: ""
sa_sec: ""
sa_kb: ""
tfc_packets: "no"
76 changes: 76 additions & 0 deletions ..._asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.raw
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
crypto map WAN1_CMAP 10 match address CMAP_RU16
crypto map WAN1_CMAP 10 set connection-type bidirectional
crypto map WAN1_CMAP 10 set peer 192.0.2.1
crypto map WAN1_CMAP 10 set ikev1 phase1-mode main
crypto map WAN1_CMAP 10 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map WAN1_CMAP 10 set ikev2 mode tunnel
no crypto map WAN1_CMAP 10 set tfc-packets
crypto map WAN1_CMAP 20 match address CMAP_RU11
crypto map WAN1_CMAP 20 set connection-type bidirectional
crypto map WAN1_CMAP 20 set peer 192.0.2.2
crypto map WAN1_CMAP 20 set ikev1 phase1-mode main
crypto map WAN1_CMAP 20 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map WAN1_CMAP 20 set ikev2 mode tunnel
crypto map WAN1_CMAP 20 set security-association lifetime seconds 3600
no crypto map WAN1_CMAP 20 set tfc-packets
crypto map WAN1_CMAP 30 match address CMAP_RU12
crypto map WAN1_CMAP 30 set connection-type bidirectional
crypto map WAN1_CMAP 30 set peer 192.0.2.3
crypto map WAN1_CMAP 30 set ikev1 phase1-mode main
crypto map WAN1_CMAP 30 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map WAN1_CMAP 30 set ikev2 mode tunnel
crypto map WAN1_CMAP 30 set security-association lifetime kilobytes 100000
no crypto map WAN1_CMAP 30 set tfc-packets
crypto map WAN1_CMAP 40 match address CMAP_RU17
crypto map WAN1_CMAP 40 set connection-type bidirectional
crypto map WAN1_CMAP 40 set peer 192.0.2.4
crypto map WAN1_CMAP 40 set ikev1 phase1-mode main
crypto map WAN1_CMAP 40 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map WAN1_CMAP 40 set ikev2 mode tunnel
crypto map WAN1_CMAP 40 set security-association lifetime kilobytes 100000 seconds 3600
no crypto map WAN1_CMAP 40 set tfc-packets
crypto map WAN1_CMAP 100 match address CMAP_FR_TEST_VPN
crypto map WAN1_CMAP 100 set pfs group5
crypto map WAN1_CMAP 100 set connection-type bidirectional
crypto map WAN1_CMAP 100 set peer 192.0.2.5
crypto map WAN1_CMAP 100 set ikev1 phase1-mode main
crypto map WAN1_CMAP 100 set ikev1 transform-set DES-MD5
crypto map WAN1_CMAP 100 set ikev2 mode tunnel
crypto map WAN1_CMAP 100 set security-association lifetime seconds 3600 kilobytes 100000
no crypto map WAN1_CMAP 100 set tfc-packets
crypto map WAN1_CMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN1_CMAP interface WAN1
crypto map S2S_CMAP 10 match address CMAP_RU17
crypto map S2S_CMAP 10 set connection-type bidirectional
crypto map S2S_CMAP 10 set peer 172.21.251.10
crypto map S2S_CMAP 10 set ikev1 phase1-mode main
crypto map S2S_CMAP 10 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map S2S_CMAP 10 set ikev2 mode tunnel
no crypto map S2S_CMAP 10 set tfc-packets
crypto map S2S_CMAP 20 match address CMAP_RU12
crypto map S2S_CMAP 20 set connection-type bidirectional
crypto map S2S_CMAP 20 set peer 172.21.251.26
crypto map S2S_CMAP 20 set ikev1 phase1-mode main
crypto map S2S_CMAP 20 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map S2S_CMAP 20 set ikev2 mode tunnel
no crypto map S2S_CMAP 20 set tfc-packets
crypto map S2S_CMAP 30 match address CMAP_RU11
crypto map S2S_CMAP 30 set connection-type bidirectional
crypto map S2S_CMAP 30 set peer 172.21.251.18
crypto map S2S_CMAP 30 set ikev1 phase1-mode main
crypto map S2S_CMAP 30 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map S2S_CMAP 30 set ikev2 mode tunnel
no crypto map S2S_CMAP 30 set tfc-packets
crypto map S2S_CMAP 40 match address CMAP_RU16
crypto map S2S_CMAP 40 set connection-type bidirectional
crypto map S2S_CMAP 40 set peer 172.21.251.34
crypto map S2S_CMAP 40 set ikev1 phase1-mode main
crypto map S2S_CMAP 40 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map S2S_CMAP 40 set ikev2 mode tunnel
no crypto map S2S_CMAP 40 set tfc-packets
crypto map S2S_CMAP 160 match address CMAP_RU16_Access-to-Internet
crypto map S2S_CMAP 160 set connection-type bidirectional
crypto map S2S_CMAP 160 set peer 172.21.251.34
crypto map S2S_CMAP 160 set ikev1 phase1-mode main
crypto map S2S_CMAP 160 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA
crypto map S2S_CMAP 160 set ikev2 mode tunnel
Loading

0 comments on commit 5342cb4

Please sign in to comment.