ACL and NAT sequence

[svt1998gt]

Would be valuable to have the ACE and NAT sequence number when analyzing objects. Also which interface/zone that object sits behind if it is doable (dynamic routing)

thanks

[PackeTsar]

Can you mark up an example output with how you would want this to look and how it would be useful?

[svt1998gt]

Here is an example –.

USED OBJECTS BREAKDOWN:

ABC-DMZ-SVR

                >> Usage Count: 7

                >> Members:

                                   host 1.1.1.1

                >> Usage:

                                  access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 445 – line 4

                                  access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 135 – line 5

                                  access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2701 – line 9

                                  access-list CSM_FW_ACL_DMZ4 extended permit tcp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2702

                                  access-list CSM_FW_ACL_DMZ4 extended permit udp object ABC-DMZ-SVR object obj-10.1.3.201 eq 135

                                  access-list CSM_FW_ACL_DMZ4 extended permit udp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2701

                                  access-list CSM_FW_ACL_DMZ4 extended permit udp object ABC-DMZ-SVR object obj-10.1.3.201 eq 2702

ABC_NET – point the users to the line item

                >> Usage Count: 1

                >> Members:

                                   subnet 2.2.2.0 255.255.255.0

                                   nat (in,outside) dynamic 3.3.3.3

Also one more ask is that if you could put the number of ACE that make up the ACLs that are in use, will give a good snapshot of how many ACLs are configured on a firewall.

acl_firepower

                >> Usage Count: 1

                >> Members:

                >> Entries: 400

                >> Usage:

                                  class-map firepower

                                                   match access-list acl_firepower

[PackeTsar]

Reusing the README example here and marking up with line numbers. How would this look?

Edited: Using 10| formatting to show line numbers.

> ./ASA-Cleanup -nogamu ../Examples/ASA_CONFIG.txt




############### OBJECTS ANALYSIS ###############
################################################



### USED OBJECTS BREAKDOWN:
USED_OBJECT_1
  >> Usage Count: 1
  >> Members:
       17| host 10.0.0.2
  >> Usage:
      19| object-group network USED_OBJECT-GROUP_1
      20|  network-object object USED_OBJECT_1



### UNUSED OBJECTS:
    UNUSED_OBJECT_2
    UNUSED_OBJECT_3
    UNUSED_OBJECT_1



### DOUBLE CHECK UNUSED OBJECTS:
    show run | in UNUSED_OBJECT_2
    show run | in UNUSED_OBJECT_3
    show run | in UNUSED_OBJECT_1



### REMOVE UNUSED OBJECTS:
    no object network UNUSED_OBJECT_2
    no object network UNUSED_OBJECT_3
    no object network UNUSED_OBJECT_1




################################################
################################################


############### NAMES ANALYSIS ###############
##############################################



### USED NAMES BREAKDOWN:
USED_NAME_1
  >> Usage Count: 1
  >> Members:
  >> Usage:
      25| object-group network USED_OBJECT-GROUP_2
      26|    network-object host USED_NAME_1



### UNUSED NAMES:
    UNUSED_NAME_1
    UNUSED_NAME_2
    UNUSED_NAME_3



### DOUBLE CHECK UNUSED NAMES:
    show run | in UNUSED_NAME_1
    show run | in UNUSED_NAME_2
    show run | in UNUSED_NAME_3



### REMOVE UNUSED NAMES:
    no name 1.1.1.1 UNUSED_NAME_1
    no name 1.1.1.2 UNUSED_NAME_2
    no name 1.1.1.3 UNUSED_NAME_3




##############################################
##############################################


############### ACCESS-LISTS ANALYSIS ###############
#####################################################



### USED ACCESS-LISTS BREAKDOWN:
USED_ACL
  >> Usage Count: 1
  >> Members:
  >> Usage:
      15| access-group USED_ACL in interface TEMP



### UNUSED ACCESS-LISTS:
    UNUSED_ACL



### DOUBLE CHECK UNUSED ACCESS-LISTS:
    show run | in UNUSED_ACL



### REMOVE UNUSED ACCESS-LISTS:
    clear configure access-list UNUSED_ACL




#####################################################
#####################################################


############### OBJECT-GROUPS ANALYSIS ###############
######################################################



### USED OBJECT-GROUPS BREAKDOWN:
USED_OBJECT-GROUP_2
  >> Usage Count: 1
  >> Members:
        3| description Using a name here
       24| network-object host USED_NAME_1
  >> Usage:
      100| access-list USED_ACL extended permit ip object-group USED_OBJECT-GROUP_1 object-group USED_OBJECT-GROUP_2
USED_OBJECT-GROUP_1
  >> Usage Count: 1
  >> Members:
       110| network-object host 5.5.5.5
       112| network-object object USED_OBJECT_1
  >> Usage:
      access-list USED_ACL extended permit ip object-group USED_OBJECT-GROUP_1 object-group USED_OBJECT-GROUP_2



### UNUSED OBJECT-GROUPS:
    UNUSED_OBJECT-GROUP_2
    UNUSED_OBJECT-GROUP_1



### DOUBLE CHECK UNUSED OBJECT-GROUPS:
    show run | in UNUSED_OBJECT-GROUP_2
    show run | in UNUSED_OBJECT-GROUP_1



### REMOVE UNUSED OBJECT-GROUPS:
    no object-group network UNUSED_OBJECT-GROUP_2
    no object-group network UNUSED_OBJECT-GROUP_1




######################################################
######################################################

[PackeTsar]

How does the above look?

[svt1998gt]

Getting close,

I don’t need the sequence numbers for the objects entries per say, just the NAT and ACE line. Bold is what I am interested in, I do not see any NAT examples in the read-only.