From 5342cb433e5ca3cc7dccfd2e2135af1c81c7f235 Mon Sep 17 00:00:00 2001 From: Pieter Date: Fri, 12 Mar 2021 11:40:35 +1300 Subject: [PATCH] 784-cisco_asa_show_running-config_all_crypto_map.textfsm (#883) --- ...show_running-config_all_crypto_map.textfsm | 31 +++- ...asa_show_running-config_all_crypto_map.yml | 55 ++++-- ...sa_show_running-config_all_crypto_map2.raw | 76 ++++++++ ...sa_show_running-config_all_crypto_map2.yml | 167 ++++++++++++++++++ 4 files changed, 314 insertions(+), 15 deletions(-) create mode 100644 tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.raw create mode 100644 tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.yml diff --git a/templates/cisco_asa_show_running-config_all_crypto_map.textfsm b/templates/cisco_asa_show_running-config_all_crypto_map.textfsm index 744a24cef9..28d1d32501 100644 --- a/templates/cisco_asa_show_running-config_all_crypto_map.textfsm +++ b/templates/cisco_asa_show_running-config_all_crypto_map.textfsm @@ -3,25 +3,48 @@ Value CONNECTION_TYPE (\S+) Value Required MAP (\S+) Value Required SEQ (\d+) Value PFS (group\d|\s*) -Value Required PEER (\S+) +Value PEER (\S+) Value IKEv1_PHASE1_MODE (\S+) Value IKEv1_TRANSFORM_SET (\S+(\s\S+)*?) Value IKEv2_MODE (\S+) Value ISAKMP_DYNAMIC (\S+) Value Fillup INTERFACE (\S+) Value TRANSFORM (\S+) -Value SA (\d+) +Value SA_SEC (\d+) +Value SA_KB (\d+) +Value TFC_PACKETS (\S\S) Start + # Value's address , start of block + ^crypto\smap\s${MAP}\s${SEQ}\smatch\saddress\s${MATCHED_ADDRESS}\s*$$ -> ReadBlockLines + ^. -> Error + +ReadBlockLines + #1 Fake start, block "match address" to trigger recording of current block + ^crypto\s+map\s\S+\s\d+\s+match\s+address\s\S+\s*$$ -> Continue.Record + #1 Real capture of "match address" start of new record ^crypto\smap\s${MAP}\s${SEQ}\smatch\saddress\s${MATCHED_ADDRESS}\s*$$ + # ^crypto\smap\s${MAP}\s${SEQ}\sset\sconnection-type\s${CONNECTION_TYPE}\s*$$ ^crypto\smap\s${MAP}\s${SEQ}\sset\spfs\s${PFS}\s*$$ ^crypto\smap\s${MAP}\s${SEQ}\sset\speer\s${PEER}\s*$$ ^crypto\smap\s${MAP}\s${SEQ}\sset\sikev1\sphase1-mode\s${IKEv1_PHASE1_MODE}\s*$$ ^crypto\smap\s${MAP}\s${SEQ}\sset\sikev1\stransform-set\s${IKEv1_TRANSFORM_SET}\s*$$ ^crypto\smap\s${MAP}\s${SEQ}\sset\sikev2\smode\s${IKEv2_MODE}\s*$$ + # SA Second/Byte alone or in different combinations + ^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\sseconds\s${SA_SEC}\s*$$ + ^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\skilobytes\s${SA_KB}\s*$$ + ^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\skilobytes\s${SA_KB}\sseconds\s${SA_SEC}\s*$$ + ^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\sseconds\s${SA_SEC}\skilobytes\s${SA_KB}\s*$$ + #2 Fake start, block "match address" to trigger recording of current block + ^crypto\s+map\s\S+\s\d+\sipsec-isakmp\sdynamic\s${ISAKMP_DYNAMIC}\s*$$ -> Continue.Record + #2 Real capture of "match address" start of new record ^crypto\smap\s${MAP}\s${SEQ}\sipsec-isakmp\sdynamic\s${ISAKMP_DYNAMIC}\s*$$ - ^no\scrypto\smap\s${MAP}\s${SEQ}\sset\stfc-packets\s*$$ -> Record + # + #3 no crypto map only at end of each block, if unset (add -> Record for safety) + ^${TFC_PACKETS}\scrypto\smap\s${MAP}\s${SEQ}\sset\stfc-packets\s*$$ -> Record + #4 Interface only after multiple blocks, FillUp ^crypto\smap\s${MAP}\sinterface\s${INTERFACE}\s*$$ - ^crypto\smap\s\S+\s\d+\sset\ssecurity-association\slifetime\sseconds\s${SA}\s*$$ + # + ^\s*$$ ^. -> Error diff --git a/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map.yml b/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map.yml index 70f32d90ee..1a15f51c6d 100644 --- a/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map.yml +++ b/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map.yml @@ -12,7 +12,9 @@ parsed_sample: isakmp_dynamic: "" interface: "WAN1" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_RU11" connection_type: "bidirectional" map: "WAN1_CMAP" @@ -25,7 +27,9 @@ parsed_sample: isakmp_dynamic: "" interface: "WAN1" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_RU12" connection_type: "bidirectional" map: "WAN1_CMAP" @@ -38,7 +42,9 @@ parsed_sample: isakmp_dynamic: "" interface: "WAN1" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_RU17" connection_type: "bidirectional" map: "WAN1_CMAP" @@ -51,7 +57,9 @@ parsed_sample: isakmp_dynamic: "" interface: "WAN1" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_FR_TEST_VPN" connection_type: "bidirectional" map: "WAN1_CMAP" @@ -64,7 +72,24 @@ parsed_sample: isakmp_dynamic: "" interface: "WAN1" transform: "" - sa: "3600" + sa_sec: "3600" + sa_kb: "" + tfc_packets: "no" + - matched_address: "" + connection_type: "" + map: "WAN1_CMAP" + seq: "65535" + pfs: "" + peer: "" + ikev1_phase1_mode: "" + ikev1_transform_set: "" + ikev2_mode: "" + isakmp_dynamic: "SYSTEM_DEFAULT_CRYPTO_MAP" + interface: "WAN1" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "" - matched_address: "CMAP_RU17" connection_type: "bidirectional" map: "S2S_CMAP" @@ -74,10 +99,12 @@ parsed_sample: ikev1_phase1_mode: "main" ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" ikev2_mode: "tunnel" - isakmp_dynamic: "SYSTEM_DEFAULT_CRYPTO_MAP" - interface: "WAN1" + isakmp_dynamic: "" + interface: "S2SVPN" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_RU12" connection_type: "bidirectional" map: "S2S_CMAP" @@ -90,7 +117,9 @@ parsed_sample: isakmp_dynamic: "" interface: "S2SVPN" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_RU11" connection_type: "bidirectional" map: "S2S_CMAP" @@ -103,7 +132,9 @@ parsed_sample: isakmp_dynamic: "" interface: "S2SVPN" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" - matched_address: "CMAP_RU16" connection_type: "bidirectional" map: "S2S_CMAP" @@ -116,4 +147,6 @@ parsed_sample: isakmp_dynamic: "" interface: "S2SVPN" transform: "" - sa: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" diff --git a/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.raw b/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.raw new file mode 100644 index 0000000000..2b08b4bba4 --- /dev/null +++ b/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.raw @@ -0,0 +1,76 @@ +crypto map WAN1_CMAP 10 match address CMAP_RU16 +crypto map WAN1_CMAP 10 set connection-type bidirectional +crypto map WAN1_CMAP 10 set peer 192.0.2.1 +crypto map WAN1_CMAP 10 set ikev1 phase1-mode main +crypto map WAN1_CMAP 10 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map WAN1_CMAP 10 set ikev2 mode tunnel +no crypto map WAN1_CMAP 10 set tfc-packets +crypto map WAN1_CMAP 20 match address CMAP_RU11 +crypto map WAN1_CMAP 20 set connection-type bidirectional +crypto map WAN1_CMAP 20 set peer 192.0.2.2 +crypto map WAN1_CMAP 20 set ikev1 phase1-mode main +crypto map WAN1_CMAP 20 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map WAN1_CMAP 20 set ikev2 mode tunnel +crypto map WAN1_CMAP 20 set security-association lifetime seconds 3600 +no crypto map WAN1_CMAP 20 set tfc-packets +crypto map WAN1_CMAP 30 match address CMAP_RU12 +crypto map WAN1_CMAP 30 set connection-type bidirectional +crypto map WAN1_CMAP 30 set peer 192.0.2.3 +crypto map WAN1_CMAP 30 set ikev1 phase1-mode main +crypto map WAN1_CMAP 30 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map WAN1_CMAP 30 set ikev2 mode tunnel +crypto map WAN1_CMAP 30 set security-association lifetime kilobytes 100000 +no crypto map WAN1_CMAP 30 set tfc-packets +crypto map WAN1_CMAP 40 match address CMAP_RU17 +crypto map WAN1_CMAP 40 set connection-type bidirectional +crypto map WAN1_CMAP 40 set peer 192.0.2.4 +crypto map WAN1_CMAP 40 set ikev1 phase1-mode main +crypto map WAN1_CMAP 40 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map WAN1_CMAP 40 set ikev2 mode tunnel +crypto map WAN1_CMAP 40 set security-association lifetime kilobytes 100000 seconds 3600 +no crypto map WAN1_CMAP 40 set tfc-packets +crypto map WAN1_CMAP 100 match address CMAP_FR_TEST_VPN +crypto map WAN1_CMAP 100 set pfs group5 +crypto map WAN1_CMAP 100 set connection-type bidirectional +crypto map WAN1_CMAP 100 set peer 192.0.2.5 +crypto map WAN1_CMAP 100 set ikev1 phase1-mode main +crypto map WAN1_CMAP 100 set ikev1 transform-set DES-MD5 +crypto map WAN1_CMAP 100 set ikev2 mode tunnel +crypto map WAN1_CMAP 100 set security-association lifetime seconds 3600 kilobytes 100000 +no crypto map WAN1_CMAP 100 set tfc-packets +crypto map WAN1_CMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP +crypto map WAN1_CMAP interface WAN1 +crypto map S2S_CMAP 10 match address CMAP_RU17 +crypto map S2S_CMAP 10 set connection-type bidirectional +crypto map S2S_CMAP 10 set peer 172.21.251.10 +crypto map S2S_CMAP 10 set ikev1 phase1-mode main +crypto map S2S_CMAP 10 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map S2S_CMAP 10 set ikev2 mode tunnel +no crypto map S2S_CMAP 10 set tfc-packets +crypto map S2S_CMAP 20 match address CMAP_RU12 +crypto map S2S_CMAP 20 set connection-type bidirectional +crypto map S2S_CMAP 20 set peer 172.21.251.26 +crypto map S2S_CMAP 20 set ikev1 phase1-mode main +crypto map S2S_CMAP 20 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map S2S_CMAP 20 set ikev2 mode tunnel +no crypto map S2S_CMAP 20 set tfc-packets +crypto map S2S_CMAP 30 match address CMAP_RU11 +crypto map S2S_CMAP 30 set connection-type bidirectional +crypto map S2S_CMAP 30 set peer 172.21.251.18 +crypto map S2S_CMAP 30 set ikev1 phase1-mode main +crypto map S2S_CMAP 30 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map S2S_CMAP 30 set ikev2 mode tunnel +no crypto map S2S_CMAP 30 set tfc-packets +crypto map S2S_CMAP 40 match address CMAP_RU16 +crypto map S2S_CMAP 40 set connection-type bidirectional +crypto map S2S_CMAP 40 set peer 172.21.251.34 +crypto map S2S_CMAP 40 set ikev1 phase1-mode main +crypto map S2S_CMAP 40 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map S2S_CMAP 40 set ikev2 mode tunnel +no crypto map S2S_CMAP 40 set tfc-packets +crypto map S2S_CMAP 160 match address CMAP_RU16_Access-to-Internet +crypto map S2S_CMAP 160 set connection-type bidirectional +crypto map S2S_CMAP 160 set peer 172.21.251.34 +crypto map S2S_CMAP 160 set ikev1 phase1-mode main +crypto map S2S_CMAP 160 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-192-SHA +crypto map S2S_CMAP 160 set ikev2 mode tunnel diff --git a/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.yml b/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.yml new file mode 100644 index 0000000000..467d8061d2 --- /dev/null +++ b/tests/cisco_asa/show_running-config_all_crypto_map/cisco_asa_show_running-config_all_crypto_map2.yml @@ -0,0 +1,167 @@ +--- +parsed_sample: + - matched_address: "CMAP_RU16" + connection_type: "bidirectional" + map: "WAN1_CMAP" + seq: "10" + pfs: "" + peer: "192.0.2.1" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "WAN1" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" + - matched_address: "CMAP_RU11" + connection_type: "bidirectional" + map: "WAN1_CMAP" + seq: "20" + pfs: "" + peer: "192.0.2.2" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "WAN1" + transform: "" + sa_sec: "3600" + sa_kb: "" + tfc_packets: "no" + - matched_address: "CMAP_RU12" + connection_type: "bidirectional" + map: "WAN1_CMAP" + seq: "30" + pfs: "" + peer: "192.0.2.3" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "WAN1" + transform: "" + sa_sec: "" + sa_kb: "100000" + tfc_packets: "no" + - matched_address: "CMAP_RU17" + connection_type: "bidirectional" + map: "WAN1_CMAP" + seq: "40" + pfs: "" + peer: "192.0.2.4" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "WAN1" + transform: "" + sa_sec: "3600" + sa_kb: "100000" + tfc_packets: "no" + - matched_address: "CMAP_FR_TEST_VPN" + connection_type: "bidirectional" + map: "WAN1_CMAP" + seq: "100" + pfs: "group5" + peer: "192.0.2.5" + ikev1_phase1_mode: "main" + ikev1_transform_set: "DES-MD5" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "WAN1" + transform: "" + sa_sec: "3600" + sa_kb: "100000" + tfc_packets: "no" + - matched_address: "" + connection_type: "" + map: "WAN1_CMAP" + seq: "65535" + pfs: "" + peer: "" + ikev1_phase1_mode: "" + ikev1_transform_set: "" + ikev2_mode: "" + isakmp_dynamic: "SYSTEM_DEFAULT_CRYPTO_MAP" + interface: "WAN1" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "" + - matched_address: "CMAP_RU17" + connection_type: "bidirectional" + map: "S2S_CMAP" + seq: "10" + pfs: "" + peer: "172.21.251.10" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" + - matched_address: "CMAP_RU12" + connection_type: "bidirectional" + map: "S2S_CMAP" + seq: "20" + pfs: "" + peer: "172.21.251.26" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" + - matched_address: "CMAP_RU11" + connection_type: "bidirectional" + map: "S2S_CMAP" + seq: "30" + pfs: "" + peer: "172.21.251.18" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" + - matched_address: "CMAP_RU16" + connection_type: "bidirectional" + map: "S2S_CMAP" + seq: "40" + pfs: "" + peer: "172.21.251.34" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: "no" + - matched_address: "CMAP_RU16_Access-to-Internet" + connection_type: "bidirectional" + map: "S2S_CMAP" + seq: "160" + pfs: "" + peer: "172.21.251.34" + ikev1_phase1_mode: "main" + ikev1_transform_set: "ESP-AES-256-SHA ESP-AES-192-SHA" + ikev2_mode: "tunnel" + isakmp_dynamic: "" + interface: "" + transform: "" + sa_sec: "" + sa_kb: "" + tfc_packets: ""