- Currently to run an ASA Trace you have to log in to get a packet capture
- As a test project we will create a python script and web front end to do the ASA packet capture on a given firewall
Background and strategic fit
This is a project we can use to learn the basics – python, CLI access to an ASA, building a command line program, and then porting it to the web.
To run a python script at the command line, enter python by the script name.
Understanding the python code in the script:
- 101 on variable types, another
- python.org on modules, useful modules
- files in python, python.org on files
- stdin and stdout in python + linux, example in python
- printing in python (you really should just do the first 15-20 exercises at this site)
- sys and argv in python (for adding command line options to the script)
Using Expect scripts and the like isn’t really ‘network programming’ or ‘SDN’ – people have been able to do this for quite a while. However, API’s aren’t available on most devices today so this is an introductory exercise that you can test on equipment you have around, and we can eventually change the CLI to a REST API call, for example.
- You’ve got a linux shell and python shell set up. Check out documentation on the getting started page to get started here.
- You’ve got a firewall to test with or you’ve got access to the remote firewall in the Cisco lab. See the mailing list for access to the lab.
How to Run:
There’s a demo of this in the webex recording below, otherwise here’s the instructions.
Copy the code down with copy and paste or with git:
git clone https://github.com/npug/asa-capture
cd to the newly created asa-capture directory
VPN into the lab by using Anyconnect Instructions, ignore everything after the VPN is established in those documents
Test by pinging 192.168.120.160
On the command line in Ubuntu type: ssh email@example.com, press ‘yes’ for accepting the key. This is a mandatory step, the script doesn’t do this yet.
Quit the ssh session
Run the script with: python asa-capture.py
Type ‘ls’ and there will be .txt or .log files depending on what show commands you ran.
To view the files type ‘cat’ and then the filename.
Session 1: Here. Summary: Went over the script, how to install python, pip, pexpect. Ran the script, went over the code and then modified it a few times based on suggestions on the call.
https://github.com/npug/asa-capture/blob/testing1/asa-capture.py from the end of the session.
Fix the code and send the edits to the list so we can make the script better, and it will post up to the group Github.
The code currently has a few problems, see if you can fix them. If so, send the fixes over!
- You have to SSH manually to accept the key before the script will work
- Using exscript or paramiko may be better – try to get a script working with those modules instead
- The password, username, hostname, and IP addresses are manually added in the script. Change it to variables or better yet command line options!
- We need to extend this to do a packet capture and pull the packet capture down manually – can you code that?
import pexpect #module for logging into the ASA
import sys #module for writing files to log/linux shell
#child becomes the object to send/receive commands from the ASA
child = pexpect.spawn('ssh firstname.lastname@example.org')
#for debugging we send the input and output to the linux shell
child.logfile_read = sys.stdout
child.logfile_send = sys.stdout
#familiar process of logging into a cisco device
#expect waits for response from the console
#some special characters here like:
# . means any character
# + means the previous character 1 or more times
# * means the previous character 0 or more times
#the print commands are here in case you run into trouble and will give you an idea where the script stopped
print 'expecting password'
print 'sending password'
print 'expecting login'
#expecting the hostname> prompt
#expecting a password prompt
print 'sending password'
print 'expecting exec'
#expecting a login prompt of hostname#
#setting the terminal length to infinity so we don't need to press space or enter to continue the prompt
child.sendline('terminal pager 0')
#setting a new file for output so we can write output from the screen to a file for later
fout = file('test.log','w')
#setting the show version output to a file
child.logfile_read = fout
fout.close() #closing the file for best practice
|1||Send parameters||Send ACL + intefaces and capture names to ASA||5 tuple||
|2||Login to ASA||Log into the ASA, authenticate, send CLI, and get CLI feedback|
|3||Retrieve results||Parse the data back from the firewall|
|4||Format and display results||Copy the packet capture off the firewall and display it locally|
User interaction and design
Still in development
Below is a list of questions to be addressed as a result of this requirements document:
|How do we build the parameters|
|How do we login with expect and python|
|What errors do we have to worry about|
|How to access the Cisco lab for vASA|