Coder Social home page Coder Social logo

Comments (8)

justjais avatar justjais commented on June 26, 2024

@ITZAbacq thanks for raising the issue, I'll triage the issue from my end and update you more on this asap!

from cisco.asa.

Starican avatar Starican commented on June 26, 2024

Hello!
I want to use this ACl too, but not working..
ACL - access-list OUTSIDE extended permit object-group SomeObjectGroupService object-group ObjectGroupNetworkSource object-group ObjectGroupNetworkDestination

Cisco ASAv version: Cisco Adaptive Security Appliance Software Version 9.16(4)19

OS - CentOS Stream release 8

ansible [core 2.12.7]
config file = /home/andrey/ansible/ansible.cfg
configured module search path = ['/home/andrey/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
ansible collection location = /home/andrey/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.13 (default, Jun 24 2022, 15:27:57) [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
jinja version = 3.1.2
libyaml = True

ansible-galaxy collection list | grep asa
cisco.asa 4.0.1

error:
fatal: [ASAv]: FAILED! => {
"changed": false,
"module_stderr": "up $\r\n\r\naccess-list ACL-NAME extended permit object-group ObjectGroupNetworkSource object-group ObjectGroupNetworkDestination\r\n\r\nERROR: % Invalid input detected at '^' marker.\r\n\rASAv(config)# ",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"

config:

      - name: SomeObjectGroupService
        services_object:
          - protocol: tcp-udp
            destination_port:
              eq: 53
  • name: "add access-list inside"
    cisco.asa.asa_acls:
    config:
    acls:
    - name: ACL-INSIDE
    acl_type: extended
    aces:
    - line: 2
    remark: Access to AD SRVs
    - grant: permit
    destination:
    service_object_group: SomeObjectGroupService
    object_group: ObjectGroupNetworkDestination
    source:
    object_group: ObjectGroupNetworkSource

Thanks!

from cisco.asa.

ITZAbacq avatar ITZAbacq commented on June 26, 2024

@Starican
To be honest, I moved on from the modules to using only http-api with yaml and jinja2.

from cisco.asa.

Starican avatar Starican commented on June 26, 2024

@ITZAbacq
There I can read about it? Need examples :) Do You use cisco asa rest-api, correct?

Thanks!

from cisco.asa.

ITZAbacq avatar ITZAbacq commented on June 26, 2024

No, I'm using http-api. Rest-API is not available for asav.
https://www.cisco.com/c/en/us/td/docs/security/asa/misc/http-interface/asa-http-interface.html
That's all you need to know about.
Basically it's CLI via https. Easy-mode.

from cisco.asa.

Starican avatar Starican commented on June 26, 2024

@ITZAbacq
ASAv have rest-api. I test it.

Thanks for URL. Reading...
test.asa# sh run rest-api
!
rest-api image flash:/asa-restapi-7161-lfbff-k8.SPA
rest-api agent

test.asa#sh ver

Cisco Adaptive Security Appliance Software Version 9.16(4)19
SSP Operating System Version 2.10(1.253)
Device Manager Version 7.18(1)152
REST API Agent Version 7.16.1.75

Compiled on Wed 19-Apr-23 19:27 GMT by builders
System image file is "disk0:/asa9-16-4-19-smp-k8.bin"
Config file at boot was "startup-config"

test.asa up 63 days 19 hours

Hardware: ASAv, 4096 MB RAM, CPU Clarkdale 3399 MHz,
Internal ATA Compact Flash, 1024MB

from cisco.asa.

ITZAbacq avatar ITZAbacq commented on June 26, 2024

Yeah but it's not officially supported for my devices. I could install it but I don't want to, as the http-api is far more easy. No need of an agent, so easier updates and it's just CLI-commands, which makes it for me far easier than rest.

from cisco.asa.

Starican avatar Starican commented on June 26, 2024

Hi!
I have good news :)
I have acl line - access-list OUTSIDE extended permit object-group OGService object-group OGNetworkSource object-group OGNetworkDestination

Then I parse this line with ansible I got this (It's not correct - I understood it):

{
"destination": {
"object_group": "OGNetworkSource",
"service_object_group": "OGNetworkDestination"
},
"grant": "permit",
"source": {
"netmask": "OGervice",
"object_group": "OGService"
}
},

and I changed config in ansible playbook (It's didn't logical correct, BUT it's working!!! I get ACL on devices without errors) -

        - grant: permit
          line: 1
          destination:
            service_object_group: OGNetworkDestination
            object_group: OGNetworkSource
          source:
            object_group: OGService

from cisco.asa.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.