justjais
commented
2 years ago @ITZAbacq thanks for raising the issue, I'll triage the issue from my end and update you more on this asap!
Open ITZAbacq opened 2 years ago
justjais
commented
2 years ago @ITZAbacq thanks for raising the issue, I'll triage the issue from my end and update you more on this asap!
Starican
commented
1 year ago Hello! I want to use this ACl too, but not working.. ACL - access-list OUTSIDE extended permit object-group SomeObjectGroupService object-group ObjectGroupNetworkSource object-group ObjectGroupNetworkDestination
Cisco ASAv version: Cisco Adaptive Security Appliance Software Version 9.16(4)19
OS - CentOS Stream release 8
ansible [core 2.12.7] config file = /home/andrey/ansible/ansible.cfg configured module search path = ['/home/andrey/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.8/site-packages/ansible ansible collection location = /home/andrey/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.8.13 (default, Jun 24 2022, 15:27:57) [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)] jinja version = 3.1.2 libyaml = True
ansible-galaxy collection list | grep asa cisco.asa 4.0.1
error: fatal: [ASAv]: FAILED! => { "changed": false, "module_stderr": "up $\r\n\r\naccess-list ACL-NAME extended permit object-group ObjectGroupNetworkSource object-group ObjectGroupNetworkDestination\r\n\r\nERROR: % Invalid input detected at '^' marker.\r\n\rASAv(config)# ", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
config:
- name: SomeObjectGroupService
services_object:
- protocol: tcp-udp
destination_port:
eq: 53Thanks!
ITZAbacq
commented
1 year ago @Starican To be honest, I moved on from the modules to using only http-api with yaml and jinja2.
Starican
commented
1 year ago @ITZAbacq There I can read about it? Need examples :) Do You use cisco asa rest-api, correct?
Thanks!
ITZAbacq
commented
1 year ago No, I'm using http-api. Rest-API is not available for asav. https://www.cisco.com/c/en/us/td/docs/security/asa/misc/http-interface/asa-http-interface.html That's all you need to know about. Basically it's CLI via https. Easy-mode.
Starican
commented
1 year ago @ITZAbacq ASAv have rest-api. I test it.
Thanks for URL. Reading... test.asa# sh run rest-api ! rest-api image flash:/asa-restapi-7161-lfbff-k8.SPA rest-api agent
test.asa#sh ver
Cisco Adaptive Security Appliance Software Version 9.16(4)19 SSP Operating System Version 2.10(1.253) Device Manager Version 7.18(1)152 REST API Agent Version 7.16.1.75
Compiled on Wed 19-Apr-23 19:27 GMT by builders System image file is "disk0:/asa9-16-4-19-smp-k8.bin" Config file at boot was "startup-config"
test.asa up 63 days 19 hours
Hardware: ASAv, 4096 MB RAM, CPU Clarkdale 3399 MHz, Internal ATA Compact Flash, 1024MB
ITZAbacq
commented
1 year ago Yeah but it's not officially supported for my devices. I could install it but I don't want to, as the http-api is far more easy. No need of an agent, so easier updates and it's just CLI-commands, which makes it for me far easier than rest.
Starican
commented
1 year ago Hi! I have good news :) I have acl line - access-list OUTSIDE extended permit object-group OGService object-group OGNetworkSource object-group OGNetworkDestination
Then I parse this line with ansible I got this (It's not correct - I understood it):
{ "destination": { "object_group": "OGNetworkSource", "service_object_group": "OGNetworkDestination" }, "grant": "permit", "source": { "netmask": "OGervice", "object_group": "OGService" } },
and I changed config in ansible playbook (It's didn't logical correct, BUT it's working!!! I get ACL on devices without errors) -
- grant: permit
line: 1
destination:
service_object_group: OGNetworkDestination
object_group: OGNetworkSource
source:
object_group: OGService
Hello, I'm new to these modules and I'd like to use the ACL Module to deploy some Rules on 4 Asa Firewalls. I have some rules which are designed and stored this way:
access-list OUTSIDE extended permit object-group SomeObjectGroupService object-group SomeObjectGroupNetwork anyThese rules are getting an error:
Also the module isn't supporting objects, which is very unfortunate, but I can work arount that.
Ansible Info
Collection Info
OS
The Ansible Config is stock.
The asa is running
ASA Version 9.12(4)38What am I exactly doing?
This leads to the error.
I guess the parsed 'module' doesn't recognize the first object-group properly as an object-group(service), so it takes it as the source, which is actually wrong.
So the output of the parsed is
Or am I doing anything wrong? Thank you very much.