This script takes a Cisco ASA Named Extended ACL's and converts the rules into compatible Meraki MX Rules. It'll build iterative or multi-source/multi-destination L3 based rules, and optionally will build out 1-1 NAT rules and L7 Deny Rules for outside -> inside rule sets.
The choice of 1-1 NAT rules and L7 Deny rules assumes Inbound Rules are NOT enabled on the MX.
Supported ASA constructs:
Unsupported ASA Constructs:
Warning: This script assumes the target MX network is a new network. Existing L3 Rules, 1:1 NAT Rules, and L7 Rules will be replaced.
Organization > Settings > Dashboard API access
Enable access to the Cisco Meraki Dashboard API
My Profile > API access
Generate API key
For more information on how to generate an API key, please click here.
Note: You can add your account as Full Organization Admin to your organizations by following the instructions here.
show run
ASA command to a text file (named whatever you like). Move the text file to the code's root directory.show access-list
ASA command to a text file (named whatever you like). Move the text file to the code's root directory.Routed
mode and VLANs
on the MX.vlans.json
and routes.json
files respectively > see Usage sectiongit clone [repository name]
config.py
MERAKI_API_KEY = "<API KEY>" ORG_NAME = "<ORG>" NETWORK_NAME = "<NETWORK>"
config.py
, placing the appropriate ACLs in the outbound_set
and the nat_set
list. outbound_set
corresponds to Outbound Rules
in the Meraki Dashboard, and nat_set
corresponds to 1:1 NAT and L7 Rule translation. If you are unsure where your ACL should go, consult Meraki's Firewall Rules configuration guide hereACL_TYPES = { "nat_set": ["ACL name"], "outbound_set": ["ACL name"] }
pip3 install -r requirements.txt
python3 asa_to_mx.py -r show-run-file.txt -a show-access-list-file.txt
where show-run-file.txt and show-access-list-file.txt are the show run
and show access-list
files from the prerequisites section.
Optionally, you may specify -v vlans.json
and/or -s routes.json
if you'd like to configure your VLANs and Static routes in those files instead of the Meraki Dashboard. Please consult those files for proper formatting and examples.
The code will also prompt asking if you'd like any translation
enabled. This feature translates source address 'any' into a subnet/group of subnets based on the subnet of the original ASA interface the ACL is attached to and any ASA routes configured. This is useful if you are importing multiple ACLs or have several subnets statically routed to a single interface to maintain the original ASA logic.
Warning: Any translation only works if the ACL's are attached to an interface with an IP Address assigned or a route is defined.
Once you start the script, it will begin creating ASA Objects for the MX, reading in the ACL Rules, translating the rules, and applying them to the Meraki MX Network.
Note: Lines which fail to translate are written to unprocessed_rules.txt
. Consult this file if a rule is missing.
Script Output:
Initial Prompts:
Creating VLANs if specified with -v vlans.json
:
Creating Static routes if specified with -s routes.json
:
Parsing ACL Rules:
Results:
Meraki Dashboard:
Initial Policy Objects:
Initial Firewall Rules:
Initial NAT and L7 Rules:
Policy Objects after creation:
Policy Object Groups after creation:
L3 Rules after creation:
1-1 NAT Rules after creation:
L7 Rules after creation:
Provided under Cisco Sample Code License, for details see LICENSE
Our code of conduct is available here
See our contributing guidelines here
Please note: This script is meant for demo purposes only. All tools/ scripts in this repo are released for use "AS IS" without any warranties of any kind, including, but not limited to their installation, use, or performance. Any use of these scripts and tools is at your own risk. There is no guarantee that they have been through thorough testing in a comparable environment and we are not responsible for any damage or data loss incurred with their use.
You are responsible for reviewing and testing any scripts you run thoroughly before use in any non-testing environment.
Owner
Contributors
Categories
Products
Secure FirewallProgramming Languages
PythonLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community