ACL and NAT sequence
Would be valuable to have the ACE and NAT sequence number when analyzing objects. Also which interface/zone that object sits behind if it is doable (dynamic routing)
thanks
Can you mark up an example output with how you would want this to look and how it would be useful?
Here is an example –.
USED OBJECTS BREAKDOWN:
ABC-DMZ-SVR
>> Usage Count: 7
>> Members:
host 1.1.1.1
>> Usage:
access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 445 – line 4
access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 135 – line 5
access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2701 – line 9
access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2702
access-list CSM_FW_ACL_DMZ4 extended permit udp object ABC-DMZ-SVR object obj-10.1.3.201 eq 135
access-list CSM_FW_ACL_DMZ4 extended permit udp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2701
access-list CSM_FW_ACL_DMZ4 extended permit udp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2702
ABC_NET – point the users to the line item
>> Usage Count: 1
>> Members:
subnet 2.2.2.0 255.255.255.0
nat (in,outside) dynamic 3.3.3.3
Also one more ask is that if you could put the number of ACE that make up the ACLs that are in use, will give a good snapshot of how many ACLs are configured on a firewall.
acl_firepower
>> Usage Count: 1
>> Members:
>> Entries: 400
>> Usage:
class-map firepower
match access-list acl_firepower
Reusing the README example here and marking up with line numbers. How would this look?
Edited: Using 10| formatting to show line numbers.
> ./ASA-Cleanup -nogamu ../Examples/ASA_CONFIG.txt
############### OBJECTS ANALYSIS ###############
################################################
### USED OBJECTS BREAKDOWN:
USED_OBJECT_1
>> Usage Count: 1
>> Members:
17| host 10.0.0.2
>> Usage:
19| object-group network USED_OBJECT-GROUP_1
20| network-object object USED_OBJECT_1
### UNUSED OBJECTS:
UNUSED_OBJECT_2
UNUSED_OBJECT_3
UNUSED_OBJECT_1
### DOUBLE CHECK UNUSED OBJECTS:
show run | in UNUSED_OBJECT_2
show run | in UNUSED_OBJECT_3
show run | in UNUSED_OBJECT_1
### REMOVE UNUSED OBJECTS:
no object network UNUSED_OBJECT_2
no object network UNUSED_OBJECT_3
no object network UNUSED_OBJECT_1
################################################
################################################
############### NAMES ANALYSIS ###############
##############################################
### USED NAMES BREAKDOWN:
USED_NAME_1
>> Usage Count: 1
>> Members:
>> Usage:
25| object-group network USED_OBJECT-GROUP_2
26| network-object host USED_NAME_1
### UNUSED NAMES:
UNUSED_NAME_1
UNUSED_NAME_2
UNUSED_NAME_3
### DOUBLE CHECK UNUSED NAMES:
show run | in UNUSED_NAME_1
show run | in UNUSED_NAME_2
show run | in UNUSED_NAME_3
### REMOVE UNUSED NAMES:
no name 1.1.1.1 UNUSED_NAME_1
no name 1.1.1.2 UNUSED_NAME_2
no name 1.1.1.3 UNUSED_NAME_3
##############################################
##############################################
############### ACCESS-LISTS ANALYSIS ###############
#####################################################
### USED ACCESS-LISTS BREAKDOWN:
USED_ACL
>> Usage Count: 1
>> Members:
>> Usage:
15| access-group USED_ACL in interface TEMP
### UNUSED ACCESS-LISTS:
UNUSED_ACL
### DOUBLE CHECK UNUSED ACCESS-LISTS:
show run | in UNUSED_ACL
### REMOVE UNUSED ACCESS-LISTS:
clear configure access-list UNUSED_ACL
#####################################################
#####################################################
############### OBJECT-GROUPS ANALYSIS ###############
######################################################
### USED OBJECT-GROUPS BREAKDOWN:
USED_OBJECT-GROUP_2
>> Usage Count: 1
>> Members:
3| description Using a name here
24| network-object host USED_NAME_1
>> Usage:
100| access-list USED_ACL extended permit ip object-group USED_OBJECT-GROUP_1 object-group USED_OBJECT-GROUP_2
USED_OBJECT-GROUP_1
>> Usage Count: 1
>> Members:
110| network-object host 5.5.5.5
112| network-object object USED_OBJECT_1
>> Usage:
access-list USED_ACL extended permit ip object-group USED_OBJECT-GROUP_1 object-group USED_OBJECT-GROUP_2
### UNUSED OBJECT-GROUPS:
UNUSED_OBJECT-GROUP_2
UNUSED_OBJECT-GROUP_1
### DOUBLE CHECK UNUSED OBJECT-GROUPS:
show run | in UNUSED_OBJECT-GROUP_2
show run | in UNUSED_OBJECT-GROUP_1
### REMOVE UNUSED OBJECT-GROUPS:
no object-group network UNUSED_OBJECT-GROUP_2
no object-group network UNUSED_OBJECT-GROUP_1
######################################################
######################################################
How does the above look?
Getting close,
I don’t need the sequence numbers for the objects entries per say, just the NAT and ACE line. Bold is what I am interested in, I do not see any NAT examples in the read-only.