Quoting Jay Austad <austad at signal15.com>: > Does anyone know of a perl script that I can use to parse a Cisco PIX > config file and have it suggest the creation of object groups and > possibly summarize the ruleset? > > I've got a bunch of PIX configs that need to be cleaned up. Some are > using conduits, some are using acl's. > > If nothing exists like this, does anyone have any suggestions for > writing one in perl? I can't really think of a good way to go about > it. For example, if I had this in the config: > access-list outside_in permit ip 1.1.1.0 255.255.255.128 host 2.2.2.2 > access-list outside_in permit ip 1.1.1.128 255.255.255.128 host 2.2.2.2 > > It would suggest replacement with: > access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2 > > Or if I had: > access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.1 > access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2 > access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.3 > access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.4 > > It would suggest making an object-group for the 2.2.2.x addresses and > replacing the rules with: > access-list outside_in permit ip 1.1.1.0 255.255.255.0 object-group mygroup > > ~jay > Cisco has a output interpreter that you can use for this type of thing. You do need a CCO login to get at it: https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Josh