Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS compliance check on all access lists

Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.     

thanks.           

Everyone's tags (3)
3 REPLIES
Bronze

LMS compliance check on all access lists

If you use the "ip access-list extended ...." syntax you can check:

in config mode:

ip access-list extended [#.*#]

for:

+deny any any

I don't see a possibility for the "classic" syntax like:

ip access-list 199 permit ...

ip access-list 199 deny any any

New Member

LMS compliance check on all access lists


I forgot to mention that i am running this against Cisco ASA devices which displays like this:

access-list TEST_ACL extended deny ip any any

I have tried:

access-list [#.*#] extended deny ip any any

but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.

Any ideas?

Bronze

LMS compliance check on all access lists

Sorry, as I wrote: for that I can't think of any solution for the syntax

access-list [name] extended [permit|deny] ...

Extended Regex can reference Match strings, so theoretical you could use the match for .* and use the value (which is the name of the access-list) for further matching but I cant imagine a way to use this possibility here...

Regards,

MiKa

480
Views
0
Helpful
3
Replies
CreatePlease login to create content