Access List Compliance

Can you try this for your RegEx expression and see if that works? I think the regex was getting tripped up on the additional ^ in there so I removed them and tested it, seams to be working on a site that I tested on.

^\s?ip access\-list standard XXX[\r\n]\s?permit 10.0.0.0 0.31.255.255[\r\n]\s?permit 192.168.0.0 0.0.255.255[\r\n]\s?permit 172.16.0.0 0.15.255.255[\r\n]\s?deny   any log$

Chris,

Thanks for the quick reply. That is still showing that its not in compliance even though the only thing in the Access-list is

permit 10.0.0.0 0.31.255.255 

 permit 192.168.0.0 0.0.255.255 

 permit 172.16.0.0 0.15.255.255 

 deny   any log

One thing that you could try is to match each line individually in the rule instead of matching it all at once. This would allow you to see what of the lines are causing the errors and then you can correct it. I would try having the rule broken into 5 different lines like this.

^\s?ip access\-list standard XXX[\r\n]$

^\s?permit 10\.0\.0\.0 0\.31\.255\.255[\r\n]$

^\s?permit 192\.168\.0\.0 0\.0\.255\.255[\r\n]$

^\s?permit 172\.16\.0\.0 0\.15\.255\.255[\r\n]$

^\s?deny   any log$

Then you can have your config start block set to being at this

^\s?ip access\-list standard XXX[\r\n]$

and end at this

(!|^\s?deny   any log[\r\n]*$)

That is how I have my ACL compliance rules setup and it works fairly well for me, the only issue being that it will not check for exact order with it setup this way. Hope that helps.

Will your way catch if someone adds a permit of deny in that is not in the list?

With an additional line at the end it will. I only check for any additional permits with mine, but you can change it to check for additional denies as well. For additional permits it will look something like this.

^\s?permit (?!(10\.0\.0\.0 0\.31\.255\.255|192\.168\.0\.0 0\.0\.255\.255|172\.16\.0\.0 0\.15\.255\.255)).*[\r\n]*$

I would recommend the approach mentioned by @chris_t above:  create a separate rule for each line.

I've had issues with ACL entries appearing to get reordered when they are pasted in.  If you "show ip access-list ___" the line numbering will show the correct order, but the display order is not correct.  If you paste in your ACL and it shows a different order then you're running into this issue.

I would also recommend changing your delimiter for the end of the config block.  I would look for a line that does not start with a space.  This would allow you to find your config block even if the deny is not present at the end, thus being able to flag a warning for the missing deny.

Chris,

It appears this is the hold up ^\s?deny   any log$ its not matching the white space.

wBrown,

Would you recommend then the config block end being the start of the next ACL below it?

Sorry for all the questions but this is way more complicated than it really should be

Try to change the deny line to this and see if that works. This is what I have for my deny line and it works.

^\s?deny\s{1,5}any log[\r\n]*$

For the Config Block End I use this on mine. It will find either ! or the deny any at the end.

(!|^\s?deny\s{1,5}any log[\r\n]*$)

Using the next ACL as the ending would add another dependency that may or not be there, whereas looking for anything that is not whitespace as the first character would match another ACL or the !.

The regex I use for the config block end is ^[a-zA-Z0-9!]

I have been able to do something similar in the past by taking the entire access-list and pasting as a single sting to match instead of a RegEx.  Would that work for you?