Blog |Follow Nick on Twitter| About
 

I've google'd and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.

In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.

The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I'm not actually sure you'd want that in your firewall config but I wrote the computability for the fun it!

Have fun, click "more" below if you can't see the script!

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
#!/bin.bash

# Commas separated VAR....
IFS=","
while read name firstip lastip
# Loop around CSV
do

# Split up our first ip into it's octects
firstipfirstoctect=$(echo $firstip | awk -F "." '{print $1}')
firstipsecondoctect=$(echo $firstip | awk -F "." '{print $2}')
firstipthirdoctect=$(echo $firstip | awk -F "." '{print $3}')
firstipforthoctect=$(echo $firstip | awk -F "." '{print $4}')

# Split up our last IP into it's ocects
lastipfirstoctect=$(echo $lastip | awk -F "." '{print $1}')
lastipsecondoctect=$(echo $lastip | awk -F "." '{print $2}')
lastipthirdoctect=$(echo $lastip | awk -F "." '{print $3}')
lastipforthoctect=$(echo $lastip | awk -F "." '{print $4}')

    # Re-set BASH
    unset IFS

    # Echo out the object GROUP name
    echo "object-group network $name"

    # Loop through 1st Octect
    for a in `seq $firstipfirstoctect $lastipfirstoctect`;
    do
        # test to see if we need to print the whole range
        if [ $firstipfirstoctect -lt $lastipfirstoctect ]
        then
            firstipsecondoctectCOUNTER="0"
            lastipsecondoctectCOUNTER="255"
        fi

        # first IP might not be 1
        if [ $a -eq $firstipfirstoctect ]
        then
            firstipsecondoctectCOUNTER=$firstipsecondoctect
        fi

        # last IP might not be 255
        if [ $a -eq $lastipfirstoctect ]
        then
            lastipsecondoctectCOUNTER=$lastipsecondoctect
        fi

            # Loop through 2nd Octect
            for b in `seq $firstipsecondoctect $lastipsecondoctect`;
            do

                # Same tests as before except, next octect.
                if [ $firstipsecondoctect -lt $lastipsecondoctect ]
                then
                    firstipthirdoctectCOUNTER="0"
                    lastipthirdoctectCOUNTER="255"
                fi

                if [ $b -eq $firstipsecondoctect ]
                then
                    firstipthirdoctectCOUNTER=$firstipthirdoctect
                fi

                if [ $b -eq $lastipsecondoctect ]
                then
                    lastipthirdoctectCOUNTER=$lastipthirdoctect
                fi

                    # Loop through 3rd Octect
                    for c in `seq $firstipthirdoctectCOUNTER $lastipthirdoctectCOUNTER`;
                    do

                        # copy / paste / tweak
                        if [ $firstipthirdoctect -lt $lastipthirdoctect ]
                        then
                            firstipforthoctectCOUNTER="0"
                            lastipforthoctectCOUNTER="255"
                        fi

                        if [ $c -eq $firstipthirdoctect ]
                        then
                            firstipforthoctectCOUNTER=$firstipforthoctect
                        fi

                        if [ $c -eq $lastipthirdoctect ]
                        then
                            lastipforthoctectCOUNTER=$lastipforthoctect
                        fi

                            # final octect... echo result.
                            for d in `seq $firstipforthoctectCOUNTER $lastipforthoctectCOUNTER`;
                            do
                                echo " network-object $a.$b.$c.$d  255.255.255.255"
                            done

                    done
            done
    done

done<./FirewallRanges.csv

rgds,

Nick

 
Nick Bettison ©