One-liner: how to generate group-url for all remote-access tunnel-groups (Cisco ASA)

This one-liner takes Cisco ASA config, checks for “tunnel-group … remote-access” and generates the following two lines:

tunnel-group GROUPNAME webvpn-attributes
 group-url https://CISCO_ASA_FW_FQDN/GROUPNAME enable
for i in `fgrep tunnel-group CISCO_ASA.conf | fgrep remote-access | awk '{print $2}'`
do
echo "tunnel-group $i webvpn-attributes"
echo " group-url https://CISCO_ASA_FW_FQDN/$i enable"
done

One-liners: simple ASA log parsers

Sometimes you do not need a detailed log-analysis but several simple one-liners that you can adjust without too much thinking how it works, what you did last time, etc. The examples below are absolutely NOT optimal, but rather modular for easy line-editing.

1. Allowed traffic:

cat   asa.log | grep permitted | grep access-list |
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
 udp outside/10.2.8.25 -> inside/10.1.9.14(137)
 udp outside/10.2.8.25 -> inside/10.1.81.15(137)
 tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
 tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)

Noticed the “permitted” strings?

2. Denied traffic:

cat   asa.log | grep denied | grep access-list |
sed -e 's/^.*denied//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1541)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1547)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)

3. The most popular permitted traffic:

cat   asa.log | grep permitted | grep access-list | 
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' |
awk ' {conn[$0]++;} END { for ( i in conn ) print conn[i],"	",i;}' | sort +0nr | less

Result (the first column is the amount of corresponding log entries):

21170   tcp outside/10.2.8.40 -> inside/10.1.140.149(13000)
18023   tcp outside/10.2.8.34 -> inside/10.1.140.149(13000)
17981   tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)
11034   tcp inside/10.1.140.251 -> outside/10.2.8.68(10001)
10652   tcp outside/10.2.8.43 -> inside/10.1.140.137(13000)
10628   tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
10484   tcp outside/10.2.8.47 -> inside/10.1.140.137(13000)
10437   tcp outside/10.2.8.23 -> inside/10.1.140.137(13000)
7618   tcp outside/10.2.8.25 -> inside/10.1.140.137(13000)
7550   tcp outside/10.2.8.27 -> inside/10.1.140.137(13000)
7515   tcp outside/10.2.8.49 -> inside/10.1.140.137(13000)
7496   tcp outside/10.2.8.29 -> inside/10.1.140.137(13000)
6826   tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
6011   tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
5896   tcp outside/10.2.8.40 -> inside/10.1.141.23(8080)
5809   tcp outside/10.2.8.30 -> inside/10.1.140.137(13000)

4. Modification for versions 8.2+:

cat asa.log | grep Deny | grep access-group | sed -e 's/^.*Deny//' -e 's/by.*$//' | sed -e 's/dst/ ->/' -e 's/src//' | less

You can use this method to generate a policy based on the current traffic.

Additional “greps” will allow you to filter for specific ports or IP-addresses.

Replace “permitted” with “denied” and you’ll get the “most popular denied traffic”.

ASA and traceroute

By default ASA does not decrease the TTL field, hence is not visible in traceroute output. This is how to change this behaviour :

asa# conf t
asa(config)# icmp unreachable rate-limit 10 burst-size 5
asa(config)# policy-map global_policy
asa(config-pmap)#
asa(config-pmap)#  class class-default
asa(config-pmap-c)# set connection decrement-ttl

The result:

asa# sh run
. . .
icmp unreachable rate-limit 10 burst-size 5
. . .
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  . . .
  inspect icmp
  inspect sunrpc

 class class-default
  set connection decrement-ttl

service-policy global_policy global
. . .

Sources:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
http://packetu.com/content/view/50/