I've google'd and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.
In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.
The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I'm not actually sure you'd want that in your firewall config but I wrote the computability for the fun it!
Have fun, click "more" below if you can't see the script!
#!/bin.bash
# Commas separated VAR....
IFS=","
while read name firstip lastip
# Loop around CSV
do
# Split up our first ip into it's octects
firstipfirstoctect=$(echo $firstip | awk -F "." '{print $1}')
firstipsecondoctect=$(echo $firstip | awk -F "." '{print $2}')
firstipthirdoctect=$(echo $firstip | awk -F "." '{print $3}')
firstipforthoctect=$(echo $firstip | awk -F "." '{print $4}')
# Split up our last IP into it's ocects
lastipfirstoctect=$(echo $lastip | awk -F "." '{print $1}')
lastipsecondoctect=$(echo $lastip | awk -F "." '{print $2}')
lastipthirdoctect=$(echo $lastip | awk -F "." '{print $3}')
lastipforthoctect=$(echo $lastip | awk -F "." '{print $4}')
# Re-set BASH
unset IFS
# Echo out the object GROUP name
echo "object-group network $name"
# Loop through 1st Octect
for a in `seq $firstipfirstoctect $lastipfirstoctect`;
do
# test to see if we need to print the whole range
if [ $firstipfirstoctect -lt $lastipfirstoctect ]
then
firstipsecondoctectCOUNTER="0"
lastipsecondoctectCOUNTER="255"
fi
# first IP might not be 1
if [ $a -eq $firstipfirstoctect ]
then
firstipsecondoctectCOUNTER=$firstipsecondoctect
fi
# last IP might not be 255
if [ $a -eq $lastipfirstoctect ]
then
lastipsecondoctectCOUNTER=$lastipsecondoctect
fi
# Loop through 2nd Octect
for b in `seq $firstipsecondoctect $lastipsecondoctect`;
do
# Same tests as before except, next octect.
if [ $firstipsecondoctect -lt $lastipsecondoctect ]
then
firstipthirdoctectCOUNTER="0"
lastipthirdoctectCOUNTER="255"
fi
if [ $b -eq $firstipsecondoctect ]
then
firstipthirdoctectCOUNTER=$firstipthirdoctect
fi
if [ $b -eq $lastipsecondoctect ]
then
lastipthirdoctectCOUNTER=$lastipthirdoctect
fi
# Loop through 3rd Octect
for c in `seq $firstipthirdoctectCOUNTER $lastipthirdoctectCOUNTER`;
do
# copy / paste / tweak
if [ $firstipthirdoctect -lt $lastipthirdoctect ]
then
firstipforthoctectCOUNTER="0"
lastipforthoctectCOUNTER="255"
fi
if [ $c -eq $firstipthirdoctect ]
then
firstipforthoctectCOUNTER=$firstipforthoctect
fi
if [ $c -eq $lastipthirdoctect ]
then
lastipforthoctectCOUNTER=$lastipforthoctect
fi
# final octect... echo result.
for d in `seq $firstipforthoctectCOUNTER $lastipforthoctectCOUNTER`;
do
echo " network-object $a.$b.$c.$d 255.255.255.255"
done
done
done
done
done<./FirewallRanges.csv