[python]Netmiko on Cisco ASA

The ASA i am using to test is a ASAv version 952-204, netmiko supports the device type cisco_asa.
I am testing on the time taken to finish the script, and also send command and send command from file features of netmiko.

i have a challenge, how do i put the deny rule correctly? i need to evaluate the entire access list and insert the deny rule appropriately.

Below are lines of code for testing.

from netmiko import ConnectHandler
from getpass import getpass
import logging
from cryptography.fernet import Fernet
import json
from os.path import exists
import time

logging.basicConfig(filename="log.txt",
                    filemode='a',
                    format='%(asctime)s:%(msecs)d %(name)s %(levelname)s %(message)s',
                    datefmt='%a, %d %b %Y, %H:%M:%S',
                    level=logging.DEBUG)


start_time = time.time() # start time to execute the python script.
# get credential returns dictionary
def get_creds():
    username = input("Username: ")
    password = getpass()
    return {"username": username,
            "password": password}


# For encrypting and descrypting file, mode=1 is encrypt which is default, 0 is decrypt.
def cred_file_security(cipher, filename, creds=None, mode=1):
    byte_string = json.dumps(creds).encode('utf-8')
    # print(byte_string)
    byte_ciphertext = cipher.encrypt(byte_string)
    if mode == 1:
        with open(filename, "wb") as encrypt_file:
            encrypt_file.write(byte_ciphertext)
            return "credential is encrypted in {}".format(filename)
    elif mode == 0:
        print("Decrypting file...")
        with open(filename, "rb") as decrypt_file:
            data = decrypt_file.read()
            # print(data)
        decrypted_data = cipher.decrypt(data).decode('utf-8')
        return decrypted_data
    else:
        return "{} cannot be opened!!".format(filename)


if __name__ == "__main__":
    cmd = "sh access-list"
    # Fernet key generation, if the key is not present
    # enc.key is the key for encrypting and decrypting keep it safe.
    if not exists("enc.key"):
        key = Fernet.generate_key()
        with open("enc.key", "wb") as key_file:
            key_file.write(key)
    # If the key already exists, open the key and use the key to create a cipher
    with open("enc.key", "rb") as read_key_file:
        key_file = read_key_file.read()
    # use the cipher to encrypt and decrypt for later.
    cipher = Fernet(key_file)
    # change the encrypted filename anytime.
    filename = "creds.enc"
    if not exists(filename):
        file_response = cred_file_security(cipher, filename, creds=get_creds(), mode=1)
    else:
        file_response = json.loads(cred_file_security(cipher, filename, mode=0))

    asav = {
        "device_type": "cisco_asa",
        "ip": "192.168.1.14",
        "username": file_response['username'],
        "password": file_response['password']
    }
    with ConnectHandler(**asav) as m:
        capture_rules = m.send_command(cmd)
        print("\n------Capturing the existing policies------")
        print(capture_rules)
        time.sleep(0.5)
        print("\n-----Updating new policies to block malicious traffic------")
        output = m.send_config_from_file("config.txt")
        time.sleep(0.5)
        print(output)
        print("\n----Command pushed-----")

# time takes to finish the entire script.
print("\n----Script elasped time: {} seconds".format(time.time() - start_time))

The config.txt used by the test code:

access-list global_access line 1 extended deny tcp host 192.168.2.1 host 192.168.1.1 eq www log
access-list global_access line 2 extended deny tcp host 192.168.2.1 host 192.168.1.1 eq https log

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s