I still haven’t ran into much need for automating network tasks. In fact if I’m going to do much in that realm it’s probably going to be in Cloud platforms, not on iron in a rack. However, let’s say I wanted to block some inbound IPs to resources behind an ASA and lets say that list needed frequent updates. I figured this is as good a chance as any to dust off some Python and get started with netmiko. This is my first use of both netmiko and python so I’m not feeling particularly great about it but effort is effort I suppose.
This script assumes there’s a block rule on the outside interface applying to source addresses found in a object-group called Blocked_IPs. The script just adds IP’s to that group and saves when complete. If you’re just getting started with netmiko you might find something useful here.
I still haven’t found a good way to maintain indentation on wordpress… Maybe I’ll throw it on Github if I get bored.
#!/usr/bin/python3
from netmiko import ConnectHandler
from getpass import getpass
print("\n\n\n***********************************************************\nThis will add an IP to the 'Blocked IPs' List on the ASA\n***********************************************************\n\n")
#don't change loopc
loopc = 1
#
#change ip and user as needed
ip = '192.168.1.1'
user = 'admin'
#change params for login
while loopc == 1:
print("Currently, ip = ",ip, " & user = ",user, " \n\n")
print('Would you like to adjust target device or username? Yes/No\n\nUse Q to quit:')
yes = {'yes','y','ye',}
no = {'no','n',''}
quit = {'q','quit'}
choice = input('Press ENTER to skip: ').lower()
if choice in yes:
loopc = 1
elif choice in no:
loopc = 2
elif choice in quit:
exit()
else:
print("please respond with Y / N")
loopc = 1
if loopc == 1:
ip = input('Enter device IP: ')
user = input('Enter username: ')
print("\n***********************************************************\n IP and USER Updated\n")
#
#Define ASA via netmiko
#
asa = {
'device_type': 'cisco_asa',
'ip': ip,
'username': user,
'password': getpass(prompt = "\nEnter User Password: "),
'secret': getpass(prompt = "Enter Enable Password: "),
}
#block = input("Enter IP to be blocked: ")
block = list(input("\n\n\nEnter IP's to be blocked.\nSeperate multiple IP's with a Comma.\nEXAMPLE: 1.1.1.1,2.2.2.2,3.3.3.3\n\n-------------------------------------\n :").split(","))
#Push Commands via netmiko
print("\n\n Connecting... ")
active = ConnectHandler(**asa)
print(" Connected! \n\n")
print("\n\nPushing config...\n")
#for every ip, run following. Needs a faster way
for bip in block:
commands = ['object-group network Blocked_IPs', 'network-object host ' + bip]
output = active.send_config_set(commands)
print("\nRESULTS:\n***********************************************************\n"+output)
#save
output = active.send_command("write mem")
print(output)
active.disconnect()
Output looks like…
~/python$ ./blockIPv1.py *********************************************************** This will add an IP to the 'Blocked IPs' List on the ASA *********************************************************** Currently, ip = 192.168.1.1 & user = root Would you like to adjust target device or username? Yes/No Use Q to quit: Press ENTER to skip: y Enter device IP: 192.168.2.5 Enter username: admin *********************************************************** IP and USER Updated Currently, ip = 192.168.2.5 & user = admin Would you like to adjust target device or username? Yes/No Use Q to quit: Press ENTER to skip: Enter User Password: Enter Enable Password: Enter IP's to be blocked. Seperate multiple IP's with a Comma. EXAMPLE: 1.1.1.1,2.2.2.2,3.3.3.3 ------------------------------------- :1.1.1.1,2.2.2.2,3.3.3.3 Connecting... Connected! Pushing config... RESULTS: *********************************************************** config term ciscoasa(config)# object-group network Blocked_IPs ciscoasa(config-network-object-group)# network-object host 1.1.1.1 ciscoasa(config-network-object-group)# end ciscoasa# RESULTS: *********************************************************** config term ciscoasa(config)# object-group network Blocked_IPs ciscoasa(config-network-object-group)# network-object host 2.2.2.2 ciscoasa(config-network-object-group)# end ciscoasa# RESULTS: *********************************************************** config term ciscoasa(config)# object-group network Blocked_IPs ciscoasa(config-network-object-group)# network-object host 3.3.3.3 ciscoasa(config-network-object-group)# end ciscoasa# Building configuration... Cryptochecksum: a0078000 00007987 00000581 b004e00a 236189 bytes copied in 0.260 secs [OK]
Be sure to check out Kirk Byers for more information on Netmiko and Python for network engineers.
https://pynet.twb-tech.com/
He even offers some free courses throughout the year. I’m going to try to actually finish one some time.