CISCO ASA Ansible Collection
The Ansible Cisco ASA collection includes a variety of Ansible content to help automate the management of Cisco ASA firewall appliances.
Support
As a Red Hat Ansible Certified Content, this collection is entitled to support through Ansible Automation Platform (AAP).
If a support case cannot be opened with Red Hat and the collection has been obtained either from Galaxy or GitHub, there is community support available at no charge.
You can join us on #network:ansible.com room or the Ansible Forum Network Working Group.
For more information you can check the communication section below.
Communication
-
Join the Ansible forum:
- Get Help: get help or help others.
- Posts tagged with 'security': subscribe to participate in collection-related conversations.
- Ansible Network Automation Working Group: by joining the team you will automatically get subscribed to the posts tagged with your group forum tag here.
- Social Spaces: gather and interact with fellow enthusiasts.
- News & Announcements: track project-wide announcements including social events.
-
The Ansible Bullhorn newsletter: used to announce releases and important changes.
For more information about communication, see the Ansible communication guide.
Ansible version compatibility
This collection has been tested against following Ansible versions: >=2.15.0.
For collections that support Ansible 2.9, please ensure you update your network_os to use the
fully qualified collection name (for example, cisco.ios.ios).
Plugins and modules within a collection may be tested with only specific Ansible versions.
A collection may contain metadata that identifies these versions.
PEP440 is the schema used to describe the versions of Ansible.
Tested with Ansible
This collection has been tested against Cisco ASA 9.10(1)11 and Cisco ASA image configured over Zuul with version 9.12.3.
External requirements
Supported connections
The Cisco ASA collection supports network_cli connections.
Included content
Cliconf plugins
| Name | Description |
|---|---|
| cisco.asa.asa | Use asa cliconf to run command on Cisco ASA platform |
Modules
| Name | Description |
|---|---|
| cisco.asa.asa_acls | Access-Lists resource module |
| cisco.asa.asa_command | Run arbitrary commands on Cisco ASA devices |
| cisco.asa.asa_config | Manage configuration sections on Cisco ASA devices |
| cisco.asa.asa_facts | Collect facts from remote devices running Cisco ASA |
| cisco.asa.asa_ogs | Object Group resource module |
Installing this collection
You can install the Cisco ASA collection with the Ansible Galaxy CLI:
ansible-galaxy collection install cisco.asaYou can also include it in a requirements.yml file and install it with ansible-galaxy collection install -r requirements.yml, using the format:
---
collections:
- name: cisco.asaUsing this collection
This collection includes security resource modules. Similar to Network resource modules introduced in Ansible 2.9
Using Cisco ASA Ansible Collection
An example for using this collection to manage a ACL resource Cisco ASA is as follows:
inventory.ini (Note the password should be managed by a Vault for a production environment.
[asa01]
host_asa.example.com
[asa01:vars]
ansible_user=admin
ansible_ssh_pass=password
ansible_become=true
ansible_become_method=ansible.netcommon.enable
ansible_become_pass=become_password
ansible_connection=ansible.netcommon.network_cli
ansible_network_os=cisco.asa.asa
ansible_python_interpreter=pythonUsing the modules with Fully Qualified Collection Name (FQCN)
You can either call modules by their Fully Qualified Collection Name (FQCN), like cisco.asa.asa_acls, or you can call modules by their short name if you list the cisco.asa collection in the playbook's collections, as follows:
---
- hosts: asa01
gather_facts: false
connection: network_cli
collections:
- cisco.asa
tasks:
- name: Merge the provided configuration with the existing running configuration
register: result
cisco.asa.asa_acls: &id001
config:
- acls:
- name: test_global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol: tcp
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- name: test_R1_traffic
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: mergedThe following example task replaces configuration changes in the existing configuration on a Cisco ASA firewall device, using the FQCN:
---
- name: Replace device configurations of listed ACLs with provided configurations
register: result
cisco.asa.asa_acls: &id001
config:
- acls:
- name: test_global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: replacedContributing to this collection
We welcome community contributions to this collection. If you find problems, please open an issue or create a PR against the Cisco ASA collection repository. See Contributing to Ansible-maintained collections for complete details.
You can also join us on:
- IRC - the
#ansible-securitylibera.chat channel
See the Ansible Community Guide for details on contributing to Ansible.
Code of Conduct
This collection follows the Ansible project's Code of Conduct. Please read and familiarize yourself with this document.
Release notes
Release notes are available here.
Roadmap
More information
- Ansible Collection overview
- Ansible User guide
- Ansible Developer guide
- Ansible Community code of conduct
Licensing
GNU General Public License v3.0 or later.
See LICENSE to see the full text.