[python]Netmiko on Cisco ASA

The ASA i am using to test is a ASAv version 952-204, netmiko supports the device type cisco_asa.
I am testing on the time taken to finish the script, and also send command and send command from file features of netmiko.

i have a challenge, how do i put the deny rule correctly? i need to evaluate the entire access list and insert the deny rule appropriately.

Below are lines of code for testing.

from netmiko import ConnectHandler
from getpass import getpass
import logging
from cryptography.fernet import Fernet
import json
from os.path import exists
import time

                    format='%(asctime)s:%(msecs)d %(name)s %(levelname)s %(message)s',
                    datefmt='%a, %d %b %Y, %H:%M:%S',

start_time = time.time() # start time to execute the python script.
# get credential returns dictionary
def get_creds():
    username = input("Username: ")
    password = getpass()
    return {"username": username,
            "password": password}

# For encrypting and descrypting file, mode=1 is encrypt which is default, 0 is decrypt.
def cred_file_security(cipher, filename, creds=None, mode=1):
    byte_string = json.dumps(creds).encode('utf-8')
    # print(byte_string)
    byte_ciphertext = cipher.encrypt(byte_string)
    if mode == 1:
        with open(filename, "wb") as encrypt_file:
            return "credential is encrypted in {}".format(filename)
    elif mode == 0:
        print("Decrypting file...")
        with open(filename, "rb") as decrypt_file:
            data = decrypt_file.read()
            # print(data)
        decrypted_data = cipher.decrypt(data).decode('utf-8')
        return decrypted_data
        return "{} cannot be opened!!".format(filename)

if __name__ == "__main__":
    cmd = "sh access-list"
    # Fernet key generation, if the key is not present
    # enc.key is the key for encrypting and decrypting keep it safe.
    if not exists("enc.key"):
        key = Fernet.generate_key()
        with open("enc.key", "wb") as key_file:
    # If the key already exists, open the key and use the key to create a cipher
    with open("enc.key", "rb") as read_key_file:
        key_file = read_key_file.read()
    # use the cipher to encrypt and decrypt for later.
    cipher = Fernet(key_file)
    # change the encrypted filename anytime.
    filename = "creds.enc"
    if not exists(filename):
        file_response = cred_file_security(cipher, filename, creds=get_creds(), mode=1)
        file_response = json.loads(cred_file_security(cipher, filename, mode=0))

    asav = {
        "device_type": "cisco_asa",
        "ip": "",
        "username": file_response['username'],
        "password": file_response['password']
    with ConnectHandler(**asav) as m:
        capture_rules = m.send_command(cmd)
        print("\n------Capturing the existing policies------")
        print("\n-----Updating new policies to block malicious traffic------")
        output = m.send_config_from_file("config.txt")
        print("\n----Command pushed-----")

# time takes to finish the entire script.
print("\n----Script elasped time: {} seconds".format(time.time() - start_time))

The config.txt used by the test code:

access-list global_access line 1 extended deny tcp host host eq www log
access-list global_access line 2 extended deny tcp host host eq https log


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s