dacaprice.com from fitness to technology. mostly technology. sometimes fitness.

Cisco router ACL helper perl script

I am not a skilled programmer/scripter.  Here's a Perl script I wrote that takes the inbound rules for an access list on a Cisco router and spits out the corresponding rules for the outbound list.  It's still a work-in-progess.

UPDATE 09/07/11: slightly modified regular expression to better match different ACL syntax.

#!/usr/bin/perl -w
# cisco_router_aclgen.pl
# needs to handle resolvable ports (ntp instead of 123, dns 53, ssh 22, etc);

@inbound = ();
@outbound = ();
@invalid = ();

system "clear";   # clear the terminal screen

print "\n\n\t\tEnter your inbound ACL rules. Type end when finished or ^c to quit.\n";    # present user with prompt
while (<STDIN>) {   # loops through user input
  $inbound = $_;
  last if /^end$|^END$/;
     if ( $inbound =~ m/(no\ permit|permit)(\ ip|\ icmp|\ tcp|\ udp)(\ any|(\ host|\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))(\ any|(\ host|\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))?(\ eq\ \d{1,5}|\ range\ \d{1,5}\ \d{1,5}|\ any)(|\ log)$/ ) {
     $prefix = "$1$2";
     $src = "$3";
     $dst = "$6";
     #$ports = "$9";
     $ports = "$9";
     $outbound = "$prefix$dst$ports$src\n";
     print "1=$1, 2=$2, 3=$3, 4=$4, 5=$5, 6=$6, 7=$7, 8=$8, 9=$9, 10=$10, 11=$11, 12=$12, 13=$13\n";   # left in for debugging
     push @inbound, "$inbound";
     push @outbound, "$outbound";
       }  elsif ( $inbound =~ m/(no\ permit|permit)(\ ip|\ icmp|\ tcp|\ udp)(\ any|(\ host|\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))?(\ eq\ \d{1,5}|\ range\ \d{1,5}\ \d{1,5}|\ any)(\ any|(\ host|\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))(|\ log)$/ ) {
     $prefix = "$1$2";
     $src = "$3";
     $ports = "$6";
     $dst = "$7";
     $outbound = "$prefix$dst$src$ports\n";
     print "1=$1, 2=$2, 3=$3, 4=$4, 5=$5, 6=$6, 7=$7, 8=$8, 9=$9, 10=$10, 11=$11, 12=$12, 13=$13\n";   # left in for debugging
     push @inbound, "$inbound";
     push @outbound, "$outbound";
       }  elsif ( $inbound =~ m/^\!\n$|remark.*/ )  {
          push @inbound, "$inbound";
          push @outbound, "$inbound";
          }
       else {
       push @invalid, "$inbound";
       }
    }
system "clear";   # clear the terminal screen
print "\n\tWhat is the name of the INBOUND access list?\n\n";
   $acl_in_name = <>;
print "\n\tWhat is the name of the OUTBOUND access list?\n\n";
   $acl_out_name = <>;
system "clear";   # clear the terminal screen
print "#" x 100;
print "\n\nconfig t \nip access-list extended $acl_in_name";
    for $inbound (@inbound) {
      print "$inbound";
    }
print "no deny ip any any log\ndeny ip any any log\n\!\n\nip access-list extended $acl_out_name";
    for $outbound (@outbound) {
      print "$outbound";
    }
print "no deny ip any any log\ndeny ip any any log\nend\n\n";
print "#" x 100;
    if ( @invalid ) {
      print "\n\nThe following lines were not included in the access list because they do not follow normal ACL syntax:\n\n";
        for $invalid (@invalid) {
        print "\t$invalid";
        }
    }
print "\n" x 5;