Ansible ASA Playbook (asa_config and asa_acl): Cisco ASA access-list

Like in my previous post in the new development version 2.2. from Ansible are new IOS and ASA core modules.

Here an example of the asa_config and asa_acl module to create and object-group in the first step and create the inside create access-list:

- name: Cisco ASA access-list config
  connection: local
  hosts: firewall
  gather_facts: false
  vars:
    cli:
      username: "{{ username }}"
      password: "{{ password }}"
      host: "{{ device_ip }}"
      authorize: yes
      auth_pass: cisco
  tasks:
    - name: create object group
      asa_config:
        lines:
          - network-object host 10.1.0.1
          - network-object host 10.1.0.2
          - network-object host 10.1.0.3
        parents: ['object-group network dummy-group']
        provider: "{{ cli }}"
#      register: result

    - name: configure access-list
      asa_acl:
        lines:
          - access-list acl_inside extended permit tcp object-group dummy-group any eq www
          - access-list acl_inside extended permit udp object-group dummy-group any eq domain
          - access-list acl_inside extended deny ip any any
        before: clear configure access-list acl_inside
        match: strict
        replace: block
        provider: "{{ cli }}" 
#      register: result

    - debug: var=result

Here output when you run the playbook the first time:

ansible-playbook cisco/asa_access-list_config.yml -i cisco/hosts

PLAY [Cisco ASA access-list config] ********************************************

TASK [create object group] *****************************************************
changed: [fw1]

TASK [configure access-list] ***************************************************
changed: [fw1]

TASK [debug] *******************************************************************
ok: [fw1] => {
    "result": "VARIABLE IS NOT DEFINED!"
}

PLAY RECAP *********************************************************************
fw1                        : ok=3    changed=2    unreachable=0    failed=0

Here the output then you run the playbook a second time, you see nothing is changed:

ansible-playbook cisco/asa_access-list_config.yml -i cisco/hosts

PLAY [Cisco ASA access-list config] ********************************************

TASK [create object group] *****************************************************
ok: [fw1]

TASK [configure access-list] ***************************************************
ok: [fw1]

TASK [debug] *******************************************************************
ok: [fw1] => {
    "result": "VARIABLE IS NOT DEFINED!"
}

PLAY RECAP *********************************************************************
fw1                        : ok=3    changed=0    unreachable=0    failed=0

Read my new post about an Ansible Playbook for Cisco ASAv Firewall Topology

Please share!

8 Replies to “Ansible ASA Playbook (asa_config and asa_acl): Cisco ASA access-list”

  1. First thank you for post this works great!

    Do you have any suggestions how to update multiple object-groups in asa with single playbook?

    tasks:
    – name: create object group
    asa_config:
    lines:
    – network-object host 10.1.0.1
    – network-object host 10.1.0.2
    – network-object host 10.1.0.3
    parents: [‘object-group network dummy-group’]
    provider: “{{ cli }}”
    # register: result

    so this works ok for: object-group network dummy-group, but if i have another one that i would like to update, how would the format be?

    For example:

    tasks:
    – name: create object group
    asa_config:
    lines:
    – network-object host 10.1.0.1
    – network-object host 10.1.0.2
    – network-object host 10.1.0.3
    parents: [‘object-group network dummy-group’]
    – network-object host 192.168.0.1
    – network-object host 192.168.0.2
    parents: [‘object-group network dummy-group2’]

    Thank you!
    Eimis

    1. Hi Eimis,
      I was working on a complete Ansible Playbook for a Cisco ASA, is actually my next blog post I am currently working on, will publish it beginning of next week.

      But you can have a look already at the my Github repo for this post:
      https://github.com/berndonline/asa-lab-provision

      For creating objects and object-groups I use a Jinja2 template instead of lines:

      – name: include objects variables
      include_vars:
      file: “group_vars/objects.yml”

      – name: create objects
      asa_config:
      src: “templates/objects.j2”

      Jinja2 template objects.j2:

      {% if objects is defined %}
      {% for object, value in objects.items() %}
      object network {{ object }}
      {% if value and ‘host’ in value %}
      host {{ value[‘host’] }}
      {% endif %}
      {% if value and ‘subnet’ in value %}
      subnet {{ value[‘subnet’] }} {{ value[‘mask’] }}
      {% endif %}
      {% if ‘alias’ in value %}
      description {{ value.alias }}
      {% endif %}
      {% endfor %}
      {% endif %}

      Have a look at my repo and come back next week when I am finished with my new post.

      Best,
      Bernd

  2. Hi!

    Thanks for the example above works nicely. I’m trying to create a local username task, but I keep getting an error. Can you help me out on this one? here’s example:


    – name: Cisco ASA access-list config
    connection: local
    hosts: firewall
    gather_facts: false

    vars:
    cli:
    host: 192.168.0.99
    authorize: yes
    auth_pass: xxxxxx

    tasks:
    – name: create local user
    asa_config:
    lines:
    – username test password testing privilege 15
    provider: “{{ cli }}”
    #
    register: print_output
    – debug: var=print_output

    I’m passing my ssh creds as arguments.

    Thanks!
    Fabian

    1. Hi Fabian,
      Ansible works a bit differently you should have a separate inventory file when you run a playbook. You can also group your devices in the inventory file if needed but there is no need to have the credentials in the inventory is just something what I do because of Ansible Vault to encrypt the inventory file.

      Here an example inventory:

      firewall ansible_ssh_host=192.168.0.1 ansible_ssh_port=22 ansible_ssh_user='cisco' ansible_ssh_pass='cisco'
      

      Here your playbook to create a user account:

      ---
      - hosts: all
        connection: local
        gather_facts: 'false'
      
        vars:
          cli:
            username: "{{ ansible_ssh_user }}"
            password: "{{ ansible_ssh_pass }}"
            host: "{{ ansible_ssh_host }}"
            authorize: 'yes'
            auth_pass: cisco
        tasks:
          – name: create local user
            asa_config:
              lines:
                - username test password testing privilege 15
              provider: "{{ cli }}"
            register: result
      
          – debug: var=result
      

      Now just execute the playbook:

      ansible-playbook ./create_user.yml -i ./inventory 
      

      I hope that helps you to continue?
      Best,
      Bernd

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.