Cisco ASA undocumented regular expression.
I’ve found an undocumented feature of the “grep” command and related regular expressions on the Cisco ASA that’s very useful.
For example, suppose you want to check the ASA configuration for all “http” and “ssh” statements which contain an ip address in the 10.1.12.0/24 and the 10.1.13.0/24 range.
You can then do “show running-config | grep ssh” and look through each entry, then again for http: “show running-config | grep http“. Or another possibility is to grep on a part of the ip address: “show running-config | grep 10.1.1“, but this will also show routes and access-lists with this ip address.
If we expand this more to include both say “ssh” and the ip address, we come to the following command: “show running-config | grep ssh.*10.1.1“. This will show all lines with “ssh” and “10.1.1″ in it. We still have to run 2 commands then (remember, one for “ssh” and one for “http”).
What if we want to do this in only 1 command? This is where the undocumented feature kicks in. On unix/linux, there’s an egrep command which includes an alternation, “|”, and subexpression, “()”, regular expression. It turns out that both these special characters also work on the ASA even though they are not documented in the command reference!
If we put this all together, we can then do the following:
“show running-config | grep ^(ssh|https).*10.1.1” and the output will show both the “ssh” and “http” lines with 10.1.1 in it. The (ssh|http) expression just means that the line should include ssh OR http. Note that I also used a ^ which means as much as “each line beginning with the following character”. To make the above search expression even more correct, we can escape the dots with a backslash, “\”.
The complete command becomes “show running-config | grep ^(ssh|https).*10\.1\.1” and reads: “Show me each line in the running configuration beginning with either ssh OR https and also 10.1.1 further in that line”.
If you have any additional questions about regular expressions on the Cisco ASA, don’t hesitate to ask :) Have fun!