akumar741
commented
7 years ago Whereas i am able to ssh same ASA from my ansible machine by using same credentials.
root@ubuntu:/etc/ansible# ssh cisco@192.168.230.252 cisco@192.168.230.252's password: Type help or '?' for a list of available commands. ciscoasa> ena Password: ***** ciscoasa#
Hi , I am new into Ansible and getting some problem for managing my ASA firewall through Ansible. Below are all information about my playbook and asa configuration, looking for a help.
ansible version:-
root@ubuntu:/etc/ansible# ansible --version ansible 2.3.0.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609] root@ubuntu:/etc/ansible#
My host file:- root@ubuntu:/etc/ansible# cat hosts [ios] 192.168.230.253 192.168.230.252
My playbook:- root@ubuntu:/etc/ansible# cat asa-show1
hosts: ios vars: cli: username: cisco password: cisco authorize: yes auth_pass: cisco transport: cli
tasks:
Outout:- root@ubuntu:/etc/ansible# vi hosts root@ubuntu:/etc/ansible# ansible-playbook asa-show1
PLAY [ios] *****
TASK [Gathering Facts] ***** fatal: [192.168.230.252]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (password).\r\n", "unreachable": true} fatal: [192.168.230.253]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (password).\r\n", "unreachable": true} to retry, use: --limit @/etc/ansible/asa-show1.retry
PLAY RECAP ***** 192.168.230.252 : ok=0 changed=0 unreachable=1 failed=0
192.168.230.253 : ok=0 changed=0 unreachable=1 failed=0
root@ubuntu:/etc/ansible#
ASA configuration:-
ciscoasa# sh run : Saved : ASA Version 8.4(2) ! hostname ciscoasa enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0 nameif management security-level 0 ip address 192.168.230.252 255.255.255.0 ! interface GigabitEthernet1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet4 shutdown no nameif no security-level no ip address ! ftp mode passive access-list ssh standard permit any pager lines 24 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication enable console LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet 192.168.230.0 255.255.255.0 management telnet timeout 5 ssh 192.168.230.0 255.255.255.0 management ssh 192.168.230.128 255.255.255.255 management ssh timeout 5 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 ! ! prompt hostname context call-home reporting anonymous prompt 2 call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable Cryptochecksum:fc914b20384be435a7faa3f1939daa63 : end ciscoasa#