ansible-collections / cisco.asa Goto Github PK
View Code? Open in Web Editor NEWAnsible Security Collection for Cisco ASA
License: GNU General Public License v3.0
Ansible Security Collection for Cisco ASA
License: GNU General Public License v3.0
Cisco ASA Acls resource module rename param giving traceback
asa_acls
devel
macos
- cisco.asa.asa_acls:
config:
- acls:
- name: test_access
rename: test_rename_global_access
state: merged
Want ACL name should be renamed to input want name
Traceback error thrown: TypeError: 'NoneType' object is not iterable
There are issues with simple ACL parse. Please look at "destination" section.
cisco.asa.asa_acls
ansible 2.10.5
dmitry@host:~$ ansible-galaxy collection list cisco.asa
# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.asa 1.0.4
# /home/dmitry/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa 2.0.2
Ubuntu Server 21.04
dmitry@host:~$ cat small.txt
access-list ck_kspd_in line 1 extended permit tcp 10.10.10.0 255.255.252.0 host 10.20.20.164 range 8001 8002
---
- hosts: asa01
gather_facts: false
connection: network_cli
collections:
- cisco.asa
tasks:
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'small.txt') }}"
state: parsed
"parsed": {
"acls": [
{
"aces": [
{
"destination": {
"host": "10.20.20.164",
"port_protocol": {
"range": {
"end": 8002,
"start": 8001
}
}
},
"grant": "permit",
"line": 1,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"address": "10.10.10.0",
"netmask": "255.255.252.0"
}
}
],
"acl_type": "extended",
"name": "ck_kspd_in"
}
]
}
"parsed": {
"acls": [
{
"aces": [
{
"destination": {
"address": "host",
"netmask": "10.20.20.164"
},
"grant": "permit",
"line": 1,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"address": "10.10.10.0",
"netmask": "255.255.252.0"
}
}
],
"acl_type": "extended",
"name": "ck_kspd_in"
}
]
}
I try to call remote ssh command but the command change a prompt from "#" to " /dirname #" so ansible send an error command timeout triggered, can someone help me please?
it's a firepower, and I need to use scope command to change the object. if I try show config or version it's working well, but if I try scope then I get timeout and the only what I found that the prompt is different
"/security # " does not match a regex https://regex101.com/r/cQ9MpW/1
ansible [core 2.11.6]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/ansible/venv/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/ansible/venv/bin/ansible
python version = 3.9.5 (default, May 19 2021, 11:32:47) [GCC 9.3.0]
jinja version = 3.0.2
libyaml = True
Collection Version
cisco.asa 2.0.2
Collection Version
cisco.asa 2.1.0
DEPRECATION_WARNINGS(/etc/ansible/ansible.cfg) = False
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 45
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False
Firepower 41xx
show version
Version: 2.8(1.143)
Startup-Vers: 2.8(1.143
# scope ?
adapter Mezzanine Adapter
cabling Cabling
chassis Chassis
cloud-connector Cloud Connector
eth-server Ethernet Server Domain
eth-uplink Ethernet Uplink
fabric-interconnect Fabric Interconnect
firmware Firmware
host-eth-if Host Ethernet Interface
license License
monitoring Monitor the system
org Organizations
packet-capture Packet Capture Domain
security security mode
server Server
service-profile Service Profile
ssa Security Services
system Systems
vhba vHBA
vnic vNIC
# scope security
/security #
With Ansible the same:
1 command
- scope ?
code
- name: "commands firepower"
when: inventory_hostname == fwname
asa_command:
commands:
- scope ?
- exit
ok: [FIREPOWER] => {
"msg": {
"changed": false,
"failed": false,
"stdout": [
"scope \n adapter Mezzanine Adapter \n cabling Cabling \n chassis Chassis \n cloud-connector Cloud Connector \n eth-server Ethernet Server Domain \n eth-uplink Ethernet Uplink \n fabric-interconnect Fabric Interconnect \n firmware Firmware \n host-eth-if Host Ethernet Interface \n license License \n monitoring Monitor the system \n org Organizations \n packet-capture Packet Capture Domain \n security security mode \n server Server \n service-profile Service Profile \n ssa Security Services \n system Systems \n vhba vHBA \n vnic vNIC \n\n\n\n ^\n% Incomplete Command at '^' marker",
"None"
],
"stdout_lines": [
[
"scope ",
" adapter Mezzanine Adapter ",
" cabling Cabling ",
" chassis Chassis ",
" cloud-connector Cloud Connector ",
" eth-server Ethernet Server Domain ",
" eth-uplink Ethernet Uplink ",
" fabric-interconnect Fabric Interconnect ",
" firmware Firmware ",
" host-eth-if Host Ethernet Interface ",
" license License ",
" monitoring Monitor the system ",
" org Organizations ",
" packet-capture Packet Capture Domain ",
" security security mode ",
" server Server ",
" service-profile Service Profile ",
" ssa Security Services ",
" system Systems ",
" vhba vHBA ",
" vnic vNIC ",
"",
"",
"",
" ^",
"% Incomplete Command at '^' marker"
],
[
"None"
]
]
}
}
2 command
- scope security
code
- name: "commands firepower"
when: inventory_hostname == fwname
asa_command:
commands:
- scope security
- exit
The full traceback is:
File "/tmp/ansible_asa_command_payload_on6ya26c/ansible_asa_command_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa.py", line 147, in run_commands
return connection.run_commands(commands=commands, check_rc=check_rc)
File "/tmp/ansible_asa_command_payload_on6ya26c/ansible_asa_command_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [FIREPOWER]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"authorize": null,
"commands": [
"scope security"
],
"context": null,
"interval": 1,
"match": "all",
"passwords": null,
"provider": null,
"retries": 10,
"wait_for": null
}
},
"msg": "command timeout triggered, timeout value is 45 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide."
}
Running black executable should format python as expected.
black
Python, not Ansible issue
black .
which reformats the documentsblack .
would reformat all Python files as expected
Reformat works, tox linter fails in Zuul
/cisco.asa/plugins/modules/asa_og.py
All done! 💥 💔 💥
1 file would be reformatted, 66 files would be left unchanged.
This collection will be included in Ansible 2.10 because it contains modules and/or plugins that were included in Ansible 2.9. Please review:
The latest version of the collection available on August 18 will be included in Ansible 2.10.0, except possibly newer versions which differ only in the patch level. (For details, see the roadmap). Please release version 1.0.0 of your collection by this date! If 1.0.0 does not exist, the same 0.x.y version will be used in all of Ansible 2.10 without updates, and your 1.x.y release will not be included until Ansible 2.11 (unless you request an exception at a community working group meeting and go through a demanding manual process to vouch for backwards compatibility . . . you want to avoid this!).
Your collection versioning must follow all semver rules. This means:
Your collection should provide data for the Ansible 2.10 changelog and porting guide. The changelog and porting guide are automatically generated from ansible-base, and from the changelogs of the included collections. All changes from the breaking_changes
, major_changes
, removed_features
and deprecated_features
sections will appear in both the changelog and the porting guide. You have two options for providing changelog fragments to include:
changelogs/changelog.yaml
inside your collection (see the documentation of changelogs/changelog.yaml format).If you cannot contribute to the integrated Ansible changelog using one of these methods, please provide a link to your collection's changelog by creating an issue in https://github.com/ansible-community/ansible-build-data/. If you do not provide changelogs/changelog.yml
or a link, users will not be able to find out what changed in your collection from the Ansible changelog and porting guide.
Run ansible-test sanity --docker -v
in the collection with the latest ansible-base or stable-2.10
ansible/ansible checkout.
Be sure you're subscribed to:
If you have questions or want to provide feedback, please see the Feedback section in the collection requirements.
(Internal link to keep track of issues: ansible-collections/overview#102)
When a "protocol" object-group contains a member like:
protocol-object 16
the asa_ogs task fails with a fatal error
asa_ogs
ansible-playbook 2.10.3
config file = None
configured module search path = ['path/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = path/Library/Python/3.8/lib/python/site-packages/ansible
executable location = path/Library/Python/3.8/bin/ansible-playbook
python version = 3.8.2 (default, Apr 8 2021, 23:19:18) [Clang 12.0.5 (clang-1205.0.22.9)]
[empty]
MacOS using python 3.8, but also tested from Ansible Tower using python 2.7
Collection Version
ansible.netcommon 2.1.0
ansible.utils 2.2.0
cisco.asa 2.0.2
paloaltonetworks.panos 2.5.0
Configure a protocol object-group similar to:
test_asa_fw_01/admin# show run object-group protocol
object-group protocol proto1
protocol-object tcp
protocol-object 16
protocol-object udp
test_asa_fw_01/admin#
tasks:
- name: Get network object groups only
cisco.asa.asa_ogs:
config:
state: gathered
Expectation is the groups will be parsed without an error. Integers between 0 and 255 are valid (test firewall version 9.12(4)18):
test_asa_fw_01/admin(config-protocol-object-group)# protocol-object ?
protocol-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
test_asa_fw_01/admin(config-protocol-object-group)#
fatal error. Note also that the "state" provided in the task is "gathered", but the task output says, "merged"
...
"invocation": {
"module_args": {
"running_config": null,
"state": "merged",
"config": [
...
]
}
},
"changed": false,
"msg": "value of protocol must be one or more of: ah, eigrp, esp, gre, icmp, icmp6, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, pim, pptp, sctp, snp, tcp, udp. Got no match for: 16 found in config -> object_groups -> protocol_object"
}
Provide a parameter that will enable use of the "login" feature of ASA for privilege escalation.
Applicable to all modules where privilege escalation is used
The "become_method" for ASA seems to be limited to "enable". If a certain aaa command is not configured, this requires a different password than the user who logged in initially, and does not retain the user when escalating privilege. Adding a "login" method would require just one more prompt interaction. Instead of:
some-cisco-asa-fw> enable
Password: *********
some-cisco-asa-fw#
It would be:
some-cisco-asa-fw> login
Username: auser
Password: *********
some-cisco-asa-fw#
With the username and password being the original ansible_user and the password being the original ansible_ssh_pass, and no need for an ansible_become_pass
- name: run some asa commands
cisco.asa.asa_command:
commands:
- show run aaa
cisco_login: true
When a network object-group exists but does not contain any network-object's you get a KeyError on 'network-object' that is not caught. This configuration is valid in the ASA so it should be handled.
/home/darkhelmet/.venvs/py2-ansible2.9/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.exceptions import InvalidSignature
ansible 2.9.23
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/darkhelmet/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /home/darkhelmet/.venvs/py2-ansible2.9/lib/python2.7/site-packages/ansible
executable location = /home/darkhelmet/.venvs/py2-ansible2.9/bin/ansible
python version = 2.7.18 (default, May 19 2021, 00:00:00) [GCC 11.1.1 20210428 (Red Hat 11.1.1-1)]
Same problem with Ansible 2.9.23 on Python 3.9 as well.
# /home/darkhelmet/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa 2.0.2
ASA 9.12(4)29 on both real hardware and an ASAv
Create an empty network object-group but do not add any network-objects to it. You will get a KeyError on network-object missing because no network-object's are in the object-group.
object-group network bug_test_obj
---
- hosts: all
tasks:
- cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: bug_test_obj
network_object:
host:
- 9.9.9.9
The empty object-group now has 9.9.9.9 instead of being empty.
The full traceback is:
Traceback (most recent call last):
File "/home/darkhelmet/.ansible/tmp/ansible-local-80877k3oz87/ansible-tmp-1629468497.24-80940-60367002611697/AnsiballZ_asa_ogs.py", line 102, in <module>
_ansiballz_main()
File "/home/darkhelmet/.ansible/tmp/ansible-local-80877k3oz87/ansible-tmp-1629468497.24-80940-60367002611697/AnsiballZ_asa_ogs.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/darkhelmet/.ansible/tmp/ansible-local-80877k3oz87/ansible-tmp-1629468497.24-80940-60367002611697/AnsiballZ_asa_ogs.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_ogs', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.9/runpy.py", line 210, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py", line 918, in <module>
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py", line 912, in main
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 56, in execute_module
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 129, in gen_config
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 145, in _compare
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 221, in _network_object_compare
File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 474, in _add_object_cmd
KeyError: 'network_object'
Cisco ASA ACLs module fails when tryinng to configure ICMP/ICMP6 option
asa_acls.py
devel
---
- cisco.asa.asa_acls:
config:
- acls:
- name: test_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol: tcp
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol: icmp
protocol_options:
icmp:
alternate_address: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
log: errors
state: merged
The config command is generated properly and ACLs configured as expected
Command generated has missing ICMP option and thus generated command fails
Can't have the gather facts when an ACL contain "any4/any6".
asa_acls
ansible 2.9.10
config file = /home/xxxx/asa/ansible.cfg
configured module search path = [u'/home/xxxx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Aug 7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
COLLECTIONS_PATHS(/home/xxxx/asa/ansible.cfg) = [u'/home/xxxx/asa/collections', u'/home/xxxx/.ansible/collecti
DEFAULT_CALLBACK_WHITELIST(/home/xxxx/asa/ansible.cfg) = [u'profile_tasks']
DEFAULT_HOST_LIST(/home/xxxx/asa/ansible.cfg) = [u'/home/xxxx/asa/inventory']
Used module:
---
- hosts: asa
gather_facts: false
collections:
- cisco.asa
tasks:
- name: test
cisco.asa.asa_acls:
config:
state: gathered
The tasks must return a list of ACL
ansible-playbook asa_acl.yml
PLAY [asa] ******************************************************************************************************************
TASK [test] *****************************************************************************************************************
Sunday 12 July 2020 02:23:46 +0200 (0:00:00.081) 0:00:00.081 ***********
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'any' is not in list
fatal: [ASA_DRO]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/sebastien/.ansible/tmp/ansible-local-18005eEiQXL/ansible-tmp-1594513427.38-18015-3767959020102/AnsiballZ_asa_acls.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/sebastien/.ansible/tmp/ansible-local-18005eEiQXL/ansible-tmp-1594513427.38-18015-3767959020102/AnsiballZ_asa_acls.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/sebastien/.ansible/tmp/ansible-local-18005eEiQXL/ansible-tmp-1594513427.38-18015-3767959020102/AnsiballZ_asa_acls.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1238, in <module>\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1233, in main\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py\", line 88, in execute_module\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py\", line 54, in get_acls_facts\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py\", line 59, in get_facts\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py\", line 128, in get_network_resources_facts\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py\", line 70, in populate_facts\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py\", line 459, in render_config\n File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py\", line 216, in populate_source_destination\nValueError: 'any' is not in list\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP ******************************************************************************************************************
ASA : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Sunday 12 July 2020 02:23:50 +0200 (0:00:03.983) 0:00:04.065 ***********
===============================================================================
test ----------------------------------------------------------------------------------------------------------------- 3.98s
Enable Cisco ASA Botnet Traffic Filter via dynamic/static DB configuration.
Malware that attempts network activity such as sending private data (passwords, credit card numbers, keystrokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic/static database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity. For more information around the feature, plz ref: Cisco Botnet traffic filter guide
If Ansible has the ASA dynamic_filter
module to configure, this entire process of configuring and adding the address to static DB or enabling dynamic DB can be automated, and the process can then be integrated with Ansible security SIEM offerings and can easily be converted to solve and automate the task of incident response use case using Cisco ASA.
cisco.asa
https://github.com/ansible/ansible/pull/59073/files
See the PR I put in, can you add this to the ASA?
Bug 58258 on Ansible
asa_og
ansible --version
ansible 2.8.1
config file = /Users/joshv/Github/ansible-asa_work/ansible.cfg
configured module search path = ['/etc/ansible/library']
ansible python module location = /usr/local/lib/python3.7/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.2 (default, Feb 10 2019, 15:44:18) [Clang 10.0.0 (clang-1000.11.45.5)]
DEFAULT_HOST_LIST(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = ['/Users/joshv/Github/ansible-asa_work/hosts']
DEFAULT_MODULE_PATH(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = ['/etc/ansible/library']
HOST_KEY_CHECKING(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = /usr/local/bin/python3
Mac OS as command host
ASAv in lab environment
- name: "TASK 3: Add Port Group"
asa_og:
name: SVC_OBJ_DNS_NTP
group_type: port-object
state: present
description: DNS and NTP ports
protocol: udp
port_eq:
- 53
- 123
register: output3
Workaround task setup:
- name: "TASK 3: Add Port Group"
asa_og:
name: SVC_OBJ_DNS_NTP
group_type: port-object
state: present
description: DNS and NTP ports
protocol: udp
port_eq:
- "53"
- "123"
register: output3
I'd expect that the object group would be created.
The module errors out on playbook execution.
Workaround: Change the integers to strings to avoid integer/string concatenation issues
fatal: [asa1]: FAILED! => {"changed": false, "module_stderr": "/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py:18: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
Traceback (most recent call last):
File \"/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py\", line 114, in <module>
_ansiballz_main()
File \"/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py\", line 106, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File \"/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py\", line 49, in invoke_module
imp.load_module('__main__', mod, module, MOD_DESC)
File \"/usr/local/Cellar/python/3.7.2_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/imp.py\", line 234, in load_module
return load_source(name, filename, file)
File \"/usr/local/Cellar/python/3.7.2_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/imp.py\", line 169, in load_source
module = _exec(spec, sys.modules[name])
File \"<frozen importlib._bootstrap>\", line 630, in _exec
File \"<frozen importlib._bootstrap_external>\", line 728, in exec_module
File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed
File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 801, in <module>
File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 788, in main
File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 735, in map_obj_to_commands
File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 557, in present
TypeError: can only concatenate str (not \"int\") to str
", "module_stdout": "", "msg": "MODULE FAILURE
See stdout/stderr for the exact error", "rc": 1}
Merge the code in ansible/ansible#59073 and this will be resolved.
When trying to run cisco.asa.asa_ogs, I constantly get the following error, msg: 'argument start is of type <type ''str''> found in ''config -> object_groups -> services_object -> destination_port -> range''. and we were unable to convert to int: <type ''str''> cannot be converted to an int'
config file = /etc/ansible/ansible.cfg
configured module search path = ['/Users/jholbert/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.8.12 (default, Oct 13 2021, 06:42:19) [Clang 12.0.0 (clang-1200.0.32.29)]
not able to retrieve
DEFAULT_LOAD_CALLBACK_PLUGINS(/private/etc/ansible/ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/private/etc/ansible/ansible.cfg) = yaml
DEPRECATION_WARNINGS(/private/etc/ansible/ansible.cfg) = True
HOST_KEY_CHECKING(/private/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/private/etc/ansible/ansible.cfg) = 120
PERSISTENT_CONNECT_TIMEOUT(/private/etc/ansible/ansible.cfg) = 60
RETRY_FILES_ENABLED(/private/etc/ansible/ansible.cfg) = False
Cisco Adaptive Security Appliance Software Version 9.16(1)28
Running the below playbook always fails with the error message above
---
- hosts: asa_staging
gather_facts: false
connection: network_cli
become: yes
become_method: enable
tasks:
- name: Gather listed OGs with provided configurations
cisco.asa.asa_ogs:
config:
state: gathered
Gathered results
fatal: [aws-stg-asa01]: FAILED! => changed=false
ansible_facts:
discovered_interpreter_python: /usr/bin/python
msg: 'argument start is of type <type ''str''> found in ''config -> object_groups -> services_object -> destination_port -> range''. and we were unable to convert to int: <type ''str''> cannot be converted to an int'
The 'before' and 'after' state does not show IPv6 addresses for 'host' keys. This causes every execution of a play to try and add the IPv6 host entry. It appends to 'commands' correctly and is sent to the device but because it is not in the model it reports changed. It also sends commands that result in an error at the CLI to the box.
asa_ogs
ansible 2.9.24
config file = /home/darkhelmet/Documents/Projects/ansible.cfg
configured module search path = ['/home/darkhelmet/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.9.6 (default, Jul 16 2021, 00:00:00) [GCC 11.1.1 20210531 (Red Hat 11.1.1-3)]
# /home/darkhelmet/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa 2.0.2
ASAv 9.12(4)
---
- hosts: asav-912
tasks:
- cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: issue-128
network_object:
host:
- 192.0.2.1
- 2001:0db8::1
state: replaced
I expect an object-group that looks like:
object-group network issue-128
network-object host 192.0.2.1
network-object host 2001:db8::1
And if it exists I expect the task to be idempotent.
changed: [asav-912] => {
"after": [
{
"object_groups": [
{
"name": "issue-128",
"network_object": {
"host": [
"192.0.2.1"
]
}
}
],
"object_type": "network"
}
],
"before": [
{
"object_groups": [
{
"name": "issue-128",
"network_object": {
"host": [
"192.0.2.1"
]
}
}
],
"object_type": "network"
}
],
"changed": true,
"commands": [
"object-group network issue-128",
"network-object host 2001:0db8::1"
],
"invocation": {
"module_args": {
"config": [
{
"object_groups": [
{
"description": null,
"group_object": null,
"icmp_type": null,
"name": "issue-128",
"network_object": {
"address": null,
"host": [
"192.0.2.1",
"2001:0db8::1"
],
"ipv6_address": null,
"object": null
},
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
}
],
"object_type": "network"
}
],
"running_config": null,
"state": "replaced"
}
}
}
The asa_acls module cannot work with ACEs that use user identity, since the acls dictionary does not contain any parameters pertaining to identity. Additionally, any existing ASA access-list commands containing the "user" or "user-group" keywords are not parsed correctly when gathered.
asa_acls
ansible 2.9.16
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.9.1+ (default, Jan 20 2021, 14:49:22) [GCC 10.2.1 20210110]
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/hosts']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 600
Ansible running on Debian testing.
Tested against ASA 5516-X running software 9.8(4)10.
Apply an access-list command to an ASA that uses either the "user" or "user-group" keywords, e.g.:
access-list TEST-ACL extended permit object-group HTTP-HTTPS_sg user-group "DOMAIN\\Domain Users" object-group LocalNetworks_og object-group RFC1918_og
Then attempt to gather the ACL config from the ASA and save as YAML:
---
- name: convert interface to structured data
connection: network_cli
hosts: TESTING
gather_facts: false
vars:
ansible_network_os: asa
tasks:
- name: Gather facts
cisco.asa.asa_acls:
state: gathered
register: gather
- name: Create inventory directory
become: true
delegate_to: localhost
file:
path: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}"
state: directory
- name: Write each resource to a file
become: true
delegate_to: localhost
copy:
content: "{{ gather['gathered'] | to_nice_yaml }}"
dest: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/acls.yaml"
Generated YAML file describes all aspects of the ACE, including user identity information.
Generated YAML is missing the identity information. Additionally, several non-identity parameters are also missing from the output and the single object-group retrieved from the config has been assigned to an incorrect parameter (presumably as the access-list command has not been parsed correctly).
acls:
- aces:
- grant: permit
line: 1
source:
object_group: HTTP-HTTPS_sg
acl_type: extended
name: TEST-ACL
Errors encountered trying to gather facts with the collection.
cisco.asa.asa_facts
ansible 2.9.5
config file = /home/username/Ansible-CiscoASA/ansible.cfg
configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Jan 14 2019, 11:02:34) [GCC 8.0.1 20180414 (experimental) [trunk revision 259383]]
COLLECTIONS_PATHS(/home/username/Ansible-CiscoASA/ansible.cfg) = ['/home/username/.ansible/collections']
DEFAULT_HOST_LIST(/home/username/Ansible-CiscoASA/ansible.cfg) = ['/home/username/Ansible-CiscoASA/production']
HOST_KEY_CHECKING(/home/username/Ansible-CiscoASA/ansible.cfg) = False
INTERPRETER_PYTHON(/home/username/Ansible-CiscoASA/ansible.cfg) = /usr/bin/python3
RETRY_FILES_ENABLED(/home/username/Ansible-CiscoASA/ansible.cfg) = False
Ansible host: Ubuntu 18.04.2 LTS
ASA: 9.10(1)30
ansible-playbook test_rule_new.yml -u username --ask-pass --ask-become-pass -vvvv
---
#this builds a sample rule in VRF32 - it looks to see if this EXACT line exists in the ACL list, and creates it if it does not
- hosts: asa
tasks:
- name: Gather all legacy facts
become: yes
cisco.asa.asa_facts:
gather_subset:
- config
Return facts successfully.
(Replaced sensitive values)
ansible-playbook test_rule_new.yml -u username --ask-pass --ask-become-pass -vvvv
ansible-playbook 2.9.5
config file = /home/username/Ansible-CiscoASA/ansible.cfg
configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 3.6.8 (default, Jan 14 2019, 11:02:34) [GCC 8.0.1 20180414 (experimental) [trunk revision 259383]]
Using /home/username/Ansible-CiscoASA/ansible.cfg as config file
SSH password:
BECOME password[defaults to SSH password]:
setting up inventory plugins
host_list declined parsing /home/username/Ansible-CiscoASA/production as it did not pass its verify_file() method
script declined parsing /home/username/Ansible-CiscoASA/production as it did not pass its verify_file() method
auto declined parsing /home/username/Ansible-CiscoASA/production as it did not pass its verify_file() method
Parsed /home/username/Ansible-CiscoASA/production inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/local/lib/python3.6/dist-packages/ansible/plugins/callback/default.py
PLAYBOOK: test_rule_new.yml *************************************************************************************************************************
Positional arguments: test_rule_new.yml
verbosity: 4
ask_pass: True
remote_user: username
connection: smart
timeout: 10
become_method: sudo
become_ask_pass: True
tags: ('all',)
inventory: ('/home/username/Ansible-CiscoASA/production',)
forks: 5
1 plays in test_rule_new.yml
PLAY [asa] ******************************************************************************************************************************************
TASK [Gathering Facts] ******************************************************************************************************************************
task path: /home/username/Ansible-CiscoASA/test_rule_new.yml:3
<10.10.10.10> attempting to start connection
<10.10.10.10> using connection plugin network_cli
<10.10.10.10> local domain socket does not exist, starting it
<10.10.10.10> control socket path is /home/username/.ansible/pc/357ccb133a
<10.10.10.10> local domain socket listeners started successfully
<10.10.10.10> loaded cliconf plugin asa from path /usr/local/lib/python3.6/dist-packages/ansible/plugins/cliconf/asa.py for network_os asa
<10.10.10.10>
<10.10.10.10> local domain socket path is /home/username/.ansible/pc/357ccb133a
<10.10.10.10> ESTABLISH LOCAL CONNECTION FOR USER: username
<10.10.10.10> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713 `" && echo ansible-tmp-1593484924.2645752-268035200652713="` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713 `" ) && sleep 0'
Using module file /usr/local/lib/python3.6/dist-packages/ansible/modules/system/setup.py
<10.10.10.10> PUT /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/tmphixothel TO /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/AnsiballZ_setup.py
<10.10.10.10> EXEC /bin/sh -c 'chmod u+x /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/ /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/AnsiballZ_setup.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c '/usr/bin/python3 /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/AnsiballZ_setup.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c 'rm -f -r /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/ > /dev/null 2>&1 && sleep 0'
ok: [10.10.10.10]
META: ran handlers
TASK [Gather all legacy facts] **********************************************************************************************************************
task path: /home/username/Ansible-CiscoASA/test_rule_new.yml:5
<10.10.10.10> attempting to start connection
<10.10.10.10> using connection plugin network_cli
<10.10.10.10> found existing local domain socket, using it!
<10.10.10.10> updating play_context for connection
<10.10.10.10> ssh connection done, setting terminal
<10.10.10.10> loaded terminal plugin for network_os asa
<10.10.10.10> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.10.10.10> firing event: on_open_shell()
<10.10.10.10> ssh connection has completed successfully
<10.10.10.10> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.10.10.10> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.10.10.10> authorizing connection
<10.10.10.10>
<10.10.10.10> local domain socket path is /home/username/.ansible/pc/357ccb133a
<10.10.10.10> ESTABLISH LOCAL CONNECTION FOR USER: username
<10.10.10.10> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478 `" && echo ansible-tmp-1593484927.7340422-65588891130478="` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478 `" ) && sleep 0'
Using module file /home/username/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_facts.py
<10.10.10.10> PUT /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/tmp1w7dpkqc TO /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py
<10.10.10.10> EXEC /bin/sh -c 'chmod u+x /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/ /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c '/usr/bin/python3 /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c 'rm -f -r /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py", line 102, in <module>
_ansiballz_main()
File "/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_facts', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py", line 206, in <module>
File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py", line 197, in main
File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py", line 64, in get_facts
File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py", line 153, in get_network_legacy_facts
File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy/base.py", line 53, in populate
TypeError: 'NoneType' object is not subscriptable
fatal: [10.10.10.10]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_facts', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py\", line 206, in <module>\n File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py\", line 197, in main\n File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py\", line 64, in get_facts\n File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py\", line 153, in get_network_legacy_facts\n File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy/base.py\", line 53, in populate\nTypeError: 'NoneType' object is not subscriptable\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
PLAY RECAP ******************************************************************************************************************************************
10.10.10.10 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
If a service-group is used for the destination service, it is not parsed properly.
cisco.asa.asa_acls
❯ ansible --version
ansible 2.9.14.post0
config file = /Users/tim.franson/dev/netops/ansible.cfg
configured module search path = ['/Users/tim.franson/dev/netops/library/modules']
ansible python module location = /Users/tim.franson/dev/ansible/lib/ansible
executable location = /Users/tim.franson/dev/ansible/bin/ansible
python version = 3.8.5 (default, Jul 21 2020, 10:42:08) [Clang 11.0.0 (clang-1100.0.33.17)]
DEFAULT_ACTION_PLUGIN_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/plugins/action']
DEFAULT_CALLBACK_WHITELIST(/Users/tim.franson/dev/netops/ansible.cfg) = ['profile_tasks']
DEFAULT_HOST_LIST(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/inventory/lab.yaml']
DEFAULT_JINJA2_EXTENSIONS(/Users/tim.franson/dev/netops/ansible.cfg) = jinja2.ext.loopcontrols
DEFAULT_MODULE_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/modules']
DEFAULT_MODULE_UTILS_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/module_utils']
DEFAULT_ROLES_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/roles']
DEFAULT_STDOUT_CALLBACK(/Users/tim.franson/dev/netops/ansible.cfg) = yaml
DEFAULT_TERMINAL_PLUGIN_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/plugins/terminal']
DEFAULT_TIMEOUT(/Users/tim.franson/dev/netops/ansible.cfg) = 30
RETRY_FILES_SAVE_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = /Users/tim.franson/dev/netops/inventory/retry
N/A - referencing local config file
playbook
- name: Configure applications
hosts: os_cisco_asa
gather_facts: False
tasks:
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', '/Users/tim.franson/config_file.txt') }}"
state: parsed
register: parsed_acl
- name: Print
debug:
msg: "{{ parsed_acl }}"
config_file.txt
access-list SOME_ACCESS_LIST remark This rule is not parsed properly
access-list SOME_ACCESS_LIST extended permit object-group DESTINATION_SERVICE_GROUP object SOURCE_OBJECT any
A properly generated yaml-ized rule
ok: [myasa] =>
msg:
changed: false
failed: false
parsed:
acls:
- aces:
- remark: This rule is not parsed properly
- grant: permit
source:
object_group: DESTINATION_SERVICE_GROUP
acl_type: extended
name: SOME_ACCESS_LIST
Dear maintainers,
This is important for your collections!
In accordance with the Community decision, we have created the news-for-maintainers repository for announcements of changes impacting collection maintainers (see the examples) instead of Issue 45 that will be closed soon.
Watch
button in the upper right corner on the repository's home page.Issues
.Also we would like to remind you about the Bullhorn contributor newsletter which has recently started to be released weekly. To learn what it looks like, see the past releases. Please subscribe and talk to the Community via Bullhorn!
Join us in #ansible-social (for news reporting & chat), #ansible-community (for discussing collection & maintainer topics), and other channels on Matrix/IRC.
Help the Community and the Steering Committee to make right decisions by taking part in discussing and voting on the Community Topics that impact the whole project and the collections in particular. Your opinion there will be much appreciated!
Thank you!
Replace state in ASA acls resource module throwing traceback
asa_acls
devel
macos
With pre-existing test_access
ACLs
- cisco.asa.asa_acls:
config:
- acls:
- name: test_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol: tcp
protocol_options:
tcp: true
source:
address: 192.0.3.0
netmask: 255.255.255.0
destination:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- name: test_global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.1.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.2.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: replaced
Replace state operation should run and config the play as expected
Failing with traceback error
The full traceback is:
Traceback (most recent call last):
File "/Users/sjaiswal/.ansible/tmp/ansible-local-21754ooD5I5/ansible-tmp-1585746777.99-86419625801332/AnsiballZ_asa_acls.py", line 102, in <module>
_ansiballz_main()
File "/Users/sjaiswal/.ansible/tmp/ansible-local-21754ooD5I5/ansible-tmp-1585746777.99-86419625801332/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/Users/sjaiswal/.ansible/tmp/ansible-local-21754ooD5I5/ansible-tmp-1585746777.99-86419625801332/AnsiballZ_asa_acls.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 188, in run_module
fname, loader, pkg_name)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 82, in _run_module_code
mod_name, mod_fname, mod_loader, pkg_name)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1211, in <module>
File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1206, in main
File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 80, in execute_module
File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible/module_utils/connection.py", line 187, in __rpc__
ansible.module_utils.connection.ConnectionError: e-address log errorso access-list test_access line 2 extended deny icmp 198.51.$
ERROR: access-list <test_access> does not exist
ciscoasa(config)#
Line can also match "error:" which is commented in access-list remark
, for example:
access-list test-acl-001 remark error: this is a error test.
And other line included error:
will also match it.
When using module cisco.asa.asa_ogs with state:deleted does not delete correct object-group. It deletes object-group used in previous task.
cisco.asa.asa_ogs:
state: deleted
ansible 2.9.13
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/kolpakoff/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Apr 2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = [u'/home/kolpakoff/ansible/inventory']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
CentOS Linux release 7.8.2003 (Core)
Tested on ASA software 9.10(1), 9.4(3)
---
- hosts: asa_all
tasks:
- name: Creating object-group 'test1'
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: "test1"
description: "test1 hosts"
network_object:
host:
- 192.168.21.1
- 192.168.21.2
state: replaced
- name: Remove old groups
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: "old_test"
state: deleted
Created object-group "test1"
Removed object-group "old_test"
Object-group "test1" created and then removed.
TASK [Creating object-group 'test1'] ****************************************************************************
changed: [w220] => {
"after": [
{
"object_groups": [
{
"description": "test1 hosts",
"name": "test1",
"network_object": {
"host": [
"192.168.21.1",
"192.168.21.2"
]
}
}
],
"object_type": "network"
}
],
"before": {},
"changed": true,
"commands": [
"object-group network test1",
"description test1 hosts",
"network-object host 192.168.21.1",
"network-object host 192.168.21.2"
],
"invocation": {
"module_args": {
"config": [
{
"object_groups": [
{
"description": "test1 hosts",
"icmp_type": null,
"name": "test1",
"network_object": {
"address": null,
"host": [
"192.168.21.1",
"192.168.21.2"
],
"ipv6_address": null
},
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
}
],
"object_type": "network"
}
],
"running_config": null,
"state": "replaced"
}
}
}
TASK [Remove old groups] ****************************************************************************************
changed: [w220] => {
"after": [
{
"object_groups": [
{
"description": "test1 hosts",
"name": "test1",
"network_object": {
"host": [
"192.168.21.1",
"192.168.21.2"
]
}
}
],
"object_type": "network"
}
],
"before": [
{
"object_groups": [
{
"description": "test1 hosts",
"name": "test1",
"network_object": {
"host": [
"192.168.21.1",
"192.168.21.2"
]
}
}
],
"object_type": "network"
}
],
"changed": true,
"commands": [
"no object-group network test1"
],
"invocation": {
"module_args": {
"config": [
{
"object_groups": [
{
"description": null,
"icmp_type": null,
"name": "old_test",
"network_object": null,
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
}
],
"object_type": "network"
}
],
"running_config": null,
"state": "deleted"
}
}
}
support for multiple context
This would be presented as a parameter in each module, same as asa_config
Right now if the ASA is running in multiple context mode, these modules are only usable on the context that you see when you first log in which is normally "admin" context and you're not able to change context. The idea is to be able to change context and manipulate ACLs or Object Groups:
cisco.asa.asa_acls:
state: gathered
context: ansible
Fix proposed in PR #71
TypeError: argument of type 'NoneType' is not iterable in service-group when service-object not existing in ASA V. 9.6(3)17
asa_og
ansible 2.9.7
config file = None
configured module search path = ['/Users/federicoolivieri/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/ansible
executable location = /Library/Frameworks/Python.framework/Versions/3.6/bin/ansible
python version = 3.6.8 (v3.6.8:3c6b436a57, Dec 24 2018, 02:04:31) [GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)]
- name: CONFIG | OG | update SERVICE object-group ASA Vesion 8 or below.
asa_og:
name: "{{ item.name }}"
group_type: service-object
state: present
description: "{{ item.description }}"
service_cfg: "{{ item.service_cfg | regex_replace('destination ') }}"
notify: save config
loop: "{{ service_object }}"
when: "(item.service_cfg is defined) and ('8' in asa_version.split('.')[0] and '7' in asa_version.split('.')[0])"
Object group to be configured on ASA
{
"module_stdout": "",
"module_stderr": "Traceback (most recent call last):\n File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 102, in <module>\n _ansiballz_main()\n File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.network.asa.asa_og', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 801, in <module>\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 788, in main\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 735, in map_obj_to_commands\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 602, in present\nTypeError: argument of type 'NoneType' is not iterable\n",
"exception": "Traceback (most recent call last):\n File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 102, in <module>\n _ansiballz_main()\n File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.network.asa.asa_og', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 801, in <module>\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 788, in main\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 735, in map_obj_to_commands\n File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 602, in present\nTypeError: argument of type 'NoneType' is not iterable\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1,
"_ansible_no_log": false,
"changed": false,
"item": {
"name": "ftp_svc",
"description": "GNS-39102 - Infosec Security Tools",
"service_cfg": [
"tcp destination eq ftp",
"tcp destination eq ftp-data"
]
},
"ansible_loop_var": "item",
"_ansible_item_label": {
"name": "ftp_svc",
"description": "GNS-39102 - Infosec Security Tools",
"service_cfg": [
"tcp destination eq ftp",
"tcp destination eq ftp-data"
]
}
}
It would be nice if asa_config module had save_when functionality present in ios_config module.
https://docs.ansible.com/ansible/latest/modules/ios_config_module.html#parameter-save_when
I would like to be able to save config only if it has been modified.
asa_config
It would work exactly like it works on ios_config, including the diff_ignore_lines
tasks:
- name: Save config to flash if it has been modified.
ios_config:
diff_against: startup
diff_ignore_lines:
- '[a-zA-Z0-9]{8}\s[a-zA-Z0-9]{8}\s.*'
- 'certificate self-signed 01'
- 'quit'
save_when: modified
The description for the passwords
parameter is incorrect. It was copy/pasted directly from the context
parameter.
doc_fragments/asa.py
(venv) ➜ venv ansible --version
ansible 2.10.7
config file = None
configured module search path = ['/Users/matt/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/matt/environments/venv/lib/python3.9/site-packages/ansible
executable location = /Users/matt/environments/venv/bin/ansible
python version = 3.9.6 (default, Jun 29 2021, 05:25:02) [Clang 12.0.5 (clang-1205.0.22.9)]
cisco.asa.asa_acls
ansible 2.9.15
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
{
"collection_info": {
"namespace": "cisco",
"name": "asa",
"version": "1.0.3",
"authors": [
"Ansible Security Community (ansible-security)"
],
"readme": "README.md",
"tags": [
"cisco",
"asa",
"networking",
"security"
],
"description": "Ansible Security Collection for Cisco ASA devices.",
"license": [],
"license_file": "LICENSE",
"dependencies": {
"ansible.netcommon": "*"
},
"repository": "https://github.com/ansible-collections/cisco.asa",
"documentation": null,
"homepage": null,
"issues": null
},
"file_manifest_file": {
"name": "FILES.json",
"ftype": "file",
"chksum_type": "sha256",
"chksum_sha256": "a6419bbb09c3eae9741a5fab9efe4b35c43990b1d5b327b872509cbb1ab35b68",
"format": 1
},
"format": 1
}
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/inventory']
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
DEFAULT_TERMINAL_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/usr/share/ansible/plugins/terminal', '/etc/ansible/plugins/terminal']
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
Red Hat Enterprise Linux release 8.2 (Ootpa)
Cisco ASA 5525X running ASA code 9.4(4)37
This is an attempt to add a new standard ACL to a Cisco ASA 5525X
# Configure Test ACL
- name: test acl
cisco.asa.asa_acls:
config:
- acls:
- name: test_temp
acl_type: standard
aces:
- grant: permit
source:
host: 10.1.1.1
line: 1
state: merged
The documentation isn't clear as to whether a standard ACL should be done with source or destination host/prefix and I have tried both with the same results when attempting to generate a standard acl
# Configure Test ACL
- name: test acl
cisco.asa.asa_acls:
config:
- acls:
- name: test_temp
acl_type: standard
aces:
- grant: permit
destination:
host: 10.1.1.1
line: 1
state: merged
This should generate a new access-list formatted as:
access-list test_temp standard permit host 10.1.1.1
Got a traceback error for acl configuration
ansible-playbook 2.9.15
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/inventory/bes as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory/bes as it did not pass its verify_file() method
auto declined parsing /etc/ansible/inventory/bes as it did not pass its verify_file() method
Parsed /etc/ansible/inventory/bes inventory source with ini plugin
setting up inventory plugins
host_list declined parsing /etc/ansible/inventory/firewalls as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory/firewalls as it did not pass its verify_file() method
auto declined parsing /etc/ansible/inventory/firewalls as it did not pass its verify_file() method
Parsed /etc/ansible/inventory/firewalls inventory source with ini plugin
setting up inventory plugins
host_list declined parsing /etc/ansible/inventory/routers as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory/routers as it did not pass its verify_file() method
auto declined parsing /etc/ansible/inventory/routers as it did not pass its verify_file() method
Parsed /etc/ansible/inventory/routers inventory source with ini plugin
Trying secret FileVaultSecret(filename='/home/user/.ansible/.vault-pass.user') for vault_id=user
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
Trying secret FileVaultSecret(filename='/home/user/.ansible/.vault-pass.user') for vault_id=user
Tried to use the vault secret (user) to decrypt (/etc/ansible/roles/vpn_anyconnect/vars/main/vpn_vault.yml) but it failed. Error: HMAC verification failed: Signature did not match digest.
Trying secret FileVaultSecret(filename='/home/user/.ansible/.vault-pass.vpn') for vault_id=vpn
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
statically imported: /etc/ansible/roles/vpn_anyconnect/tasks/anyconnect_image.yml
Loading callback plugin yaml of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/plugins/callback/yaml.py
PLAYBOOK: vpn.yml ***************************************************************************************************************************************************************************************************************************************
Positional arguments: /etc/ansible/playbooks/cisco/vpn.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/inventory',)
subset: fw-test
vault_ids: ('user@~/.ansible/.vault-pass.user', 'vpn@~/.ansible/.vault-pass.vpn')
forks: 5
1 plays in /etc/ansible/playbooks/cisco/vpn.yml
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
PLAY [Configure Test firewall] ***********************************************************************************************************************************************************************************************************************
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
<fw-test> attempting to start connection
<fw-test> using connection plugin ansible.netcommon.network_cli
<fw-test> local domain socket does not exist, starting it
<fw-test> control socket path is /home/user/.ansible/pc/dca9d2a8b8
<fw-test> local domain socket listeners started successfully
<fw-test> loaded cliconf plugin ansible_collections.cisco.asa.plugins.cliconf.asa from path /usr/share/ansible/collections/ansible_collections/cisco/asa/plugins/cliconf/asa.py for network_os cisco.asa.asa
<fw-test>
<fw-test> local domain socket path is /home/user/.ansible/pc/dca9d2a8b8
[WARNING]: Ignoring timeout(10) for cisco.asa.asa_facts
<fw-test> ESTABLISH LOCAL CONNECTION FOR USER: user
<fw-test> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161 `" && echo ansible-tmp-1605644961.43957-1819730-200278910582161="` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161 `" ) && sleep 0'
<fw-test> Attempting python interpreter discovery
<fw-test> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<fw-test> EXEC /bin/sh -c '/usr/bin/python3.6 && sleep 0'
Using module file /usr/share/ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_facts.py
<fw-test> PUT /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/tmpg6g55mza TO /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/AnsiballZ_asa_facts.py
<fw-test> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/ /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/AnsiballZ_asa_facts.py && sleep 0'
<fw-test> EXEC /bin/sh -c '/usr/libexec/platform-python /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/AnsiballZ_asa_facts.py && sleep 0'
<fw-test> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/ > /dev/null 2>&1 && sleep 0'
TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************************
task path: /etc/ansible/playbooks/cisco/vpn.yml:2
ok: [fw-test]
META: ran handlers
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
<fw-test> attempting to start connection
<fw-test> using connection plugin ansible.netcommon.network_cli
<fw-test> found existing local domain socket, using it!
<fw-test> invoked shell using ssh_type: paramiko
<fw-test> ssh type is set to paramiko
<fw-test> ssh connection done, setting terminal
<fw-test> loaded terminal plugin for network_os cisco.asa.asa
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> firing event: on_become
<fw-test> firing event: on_open_shell()
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> ssh connection has completed successfully
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> updating play_context for connection
<fw-test>
<fw-test> local domain socket path is /home/user/.ansible/pc/dca9d2a8b8
<fw-test> ESTABLISH LOCAL CONNECTION FOR USER: user
<fw-test> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276 `" && echo ansible-tmp-1605644964.7193863-1819769-138475429746276="` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276 `" ) && sleep 0'
Using module file /usr/share/ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_acls.py
<fw-test> PUT /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/tmp99tka15l TO /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py
<fw-test> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/ /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py && sleep 0'
<fw-test> EXEC /bin/sh -c '/usr/libexec/platform-python /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py && sleep 0'
<fw-test> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/ > /dev/null 2>&1 && sleep 0'
TASK [vpn_anyconnect : Configure split tunnel ACLs] *****************************************************************************************************************************************************************************************************
task path: /etc/ansible/roles/vpn_anyconnect/tasks/main.yml:13
The full traceback is:
Traceback (most recent call last):
File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 102, in <module>
_ansiballz_main()
File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1238, in <module>
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1233, in main
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 77, in execute_module
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 121, in set_config
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 150, in set_state
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 390, in _state_merged
TypeError: 'NoneType' object is not iterable
fatal: [fw-test]: FAILED! => changed=false
module_stderr: |-
Traceback (most recent call last):
File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 102, in <module>
_ansiballz_main()
File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1238, in <module>
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1233, in main
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 77, in execute_module
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 121, in set_config
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 150, in set_state
File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 390, in _state_merged
TypeError: 'NoneType' object is not iterable
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
rc: 1
PLAY RECAP **********************************************************************************************************************************************************************************************************************************************
fw-test : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
When we try to gather object groups from the device using cisco.asa.asa_facts module, it is failing with below error. We observed that on ASA device we have group_objects are called under some object groups. And mostly this error is stating the same.
"msg": "Unsupported parameters for (basic.py) module: group_object found in config -> object_groups. Supported parameters include: description, icmp_type, name, network_object, protocol_object, security_group, service_object, user_object",
cisco.asa.asa_facts:
gather_network_resources: ogs
ansible 2.9.10
ASA 9.4
cisco.asa.asa_facts:
gather_network_resources: ogs
register: object
On asa device, configure object group with group_objects
eg.
#group_object ICMP_UNREACHABLE
We are expecting all the object group pulled from the device.
{
"msg": "Unsupported parameters for (basic.py) module: group_object found in config -> object_groups. Supported parameters include: description, icmp_type, name, network_object, protocol_object, security_group, service_object, user_object",
"invocation": {
"module_args": {
"config": [
{
"object_type": "icmp-type",
"object_groups": [
{
"name": "ICMP",
"group_object": "ICMP_UNREACHABLE",
"icmp_type": {}
},
{
"name": "ICMP_PING",
"icmp_type": {
"icmp_object": [
"echo",
"echo-reply"
]
}
},
{
"name": "ICMP_TRACEROUTE",
"icmp_type": {
"icmp_object": [
"time-exceeded",
"traceroute"
]
}
},
{
"name": "ICMP_UNREACHABLE",
"icmp_type": {
"icmp_object": [
"unreachable"
]
}
}
]
},
{
"object_type": "network",
"object_groups": [
{
"name": "GRP",
"network_object": {}
},
{
"name": "OBJECTGROUPNAME",
"description": "PAYROLL \"CUSTOMER\"",
"network_object": {
"host": [
"192.168.0.200"
]
}
},
{
"name": "Object_group_name",
"description": "PAYROLL \"Customer\"",
"network_object": {
"host": [
"192.168.0.200"
]
}
},
{
"name": "test_vip_create2",
"network_object": {
"host": [
"212.68.10.82"
]
}
}
]
}
],
"state": "merged",
"running_config": null
}
},
"_ansible_no_log": false,
"changed": false,
"_ansible_delegated_vars": {
"ansible_host": "172.27.192.40",
"ansible_port": null,
"ansible_user": null
}
}
From @reuben3010 on Jul 13, 2020 00:10
I am running a project of upgrading multiple Cisco 5506X firewalls and my challenge is i have some firewalls that have primary and secondary boot system configured and some firewalls that have one one boot system configured. Given this issue, how do i build the logic that uses ansible to remove the boot variable and update them with new software and not get errors. I have written the code for this but i keep on getting errors.
Copied from original issue: ansible/ansible#70588
When specifying a line
in the ACE entry the module reports changed if that ACE is not present at that line but fails to correctly move it. This makes the play not idempotent because each run will report changed and fail to move the line successfully.
ansible 2.9.23
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/darkhelmet/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/darkhelmet/.venvs/py2-tower-3.8.3/lib/python3.9/site-packages/ansible
executable location = /home/darkhelmet/.venvs/py2-tower-3.8.3/bin/ansible
python version = 3.9.6 (default, Jul 16 2021, 00:00:00) [GCC 11.1.1 20210531 (Red Hat 11.1.1-3)]
# /home/darkhelmet/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa 2.0.2
ASAv 9.12(4)
On the ASA create an ACL like:
access-list abcd extended permit ip any4 host 1.1.1.1
access-list abcd extended permit ip any4 host 8.8.8.8
access-list abcd extended permit ip any4 host 9.9.9.9
Then use merged
to add a line at position 2:
- cisco.asa.asa_acls:
config:
acls:
- name: abcd
acl_type: extended
aces:
- grant: deny
line: 2
protocol_options:
ip: true
source:
any4: true
destination:
host: 8.8.4.4
state: merged
Go on the CLI of the ASA and add an ACL entry at line 2 (that pushes the one we just added to line 2)
access-list abcd line 2 extended deny ip any4 host 1.0.0.1
Then run the above play again. You'll see it tries to run:
"commands": [
"access-list abcd line 2 extended deny ip any4 host 8.8.4.4"
],
Ideally, the playbook removes the line and re-adds it which allows the play to truly "change" successfully. Because it may change a live ACL on the device that "could" affect management it may be preferential to "fail" out and allow the playbook author to handle the move separately. Either solutions are alright in the long run. Right now it's just not idempotent because the move fails.
It results in the following at the CLI:
ciscoasa(config)# access-list abcd line 2 extended deny ip any4 host 8.8.4.4
WARNING: <abcd> found duplicate element
access-list abcd line 2 extended deny ip any4 host 8.8.4.4
The task reports "changed" and moves on.
Allow support to have objects in the acls like the object-groups.
asa_acls
Currently you have support for object-groups but we also use objects for our acls.
The below may not be correct to the line above but I think the gist is there.
- name: Merge provided configuration with device configuration
cisco.asa.asa_acls:
config:
- acls:
- name: private_access_in
acl_type: extended
aces:
- grant: permit
line: 1
protocol_options:
tcp: True
source:
network-object: UK-Ansible-Nagios
destination:
network-object: ansible-net
state: merged
The documentation for the asa_acl module states:
If the replace argument is set to `block` then the entire command block is pushed to the device in configuration mode if any line is not correct.
In fact, setting "replace: block" has no effect on the behaviour of the module, which always pushes the changed lines only (regardless of the value of the "replace" argument).
cisco.asa/asa_acl
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.9.1+ (default, Feb 5 2021, 13:46:56) [GCC 10.2.1 20210110]
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = /usr/bin/python3
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 300
Tested against ASA 5516-X running firmware 9.8(4)32, although this bug is independent of ASA version.
Run the asa_acl module with the replace: block
argument.
The module sends all config lines to the ASA device, not just the ones that have changed.
The module sends only the config lines that have changed from the device's running config.
I am creating object-groups on ASA and updating the OGs with merged operation and testing the config by using deleted config, but deleted operation is not working as expected.
Before playbook run config on ASA:
iftyasa(config)# sh run object-group
iftyasa(config)#
hosts: asa01
gather_facts: false
connection: network_cli
collections:
tasks:
After running playbook I can see asa with new ogs
iftyasa(config)# sh run object-group
object-group network test_og_network
description test_og_network
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object 192.0.2.0 255.255.255.0
network-object 198.51.100.0 255.255.255.0
object-group network test_network_og
description test network og
network-object host 192.0.3.1
network-object host 192.0.3.2
group-object test_og_network
Here is my deleted operations playbook
hosts: asa01
gather_facts: false
connection: network_cli
collections:
tasks:
Here is the playbook output:
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible engine, or trying out features under development. This is a rapidly
changing source of code and can become unstable at any point.
ansible-playbook 2.10.0.dev0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/ikhan/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /home/ikhan/.local/lib/python2.7/site-packages/ansible
executable location = /home/ikhan/Documents/ansible/bin/ansible-playbook
python version = 2.7.15 (default, Oct 15 2018, 15:24:06) [GCC 8.1.1 20180712 (Red Hat 8.1.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
script declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
auto declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
yaml declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
Parsed /home/ikhan/Documents/inventory.ini inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /home/ikhan/.local/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc
PLAYBOOK: cisco_asa_play2.yml *************************************************************************************************************************************************************************************
Positional arguments: cisco_asa_play2.yml
become_method: sudo
inventory: (u'/home/ikhan/Documents/inventory.ini',)
forks: 5
tags: (u'all',)
verbosity: 5
connection: smart
timeout: 10
1 plays in cisco_asa_play2.yml
PLAY [asa01] ******************************************************************************************************************************************************************************************************
META: ran handlers
TASK [Merge module attributes of given object-group] **************************************************************************************************************************************************************
task path: /home/ikhan/Documents/cisco_asa_play2.yml:20
<192.168.10.1> attempting to start connection
<192.168.10.1> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /home/ikhan/Documents/ansible/bin/ansible-connection
<192.168.10.1> local domain socket does not exist, starting it
<192.168.10.1> control socket path is /home/ikhan/.ansible/pc/a5874044ce
<192.168.10.1> local domain socket listeners started successfully
<192.168.10.1> loaded cliconf plugin ansible_collections.cisco.asa.plugins.cliconf.asa from path /home/ikhan/.ansible/collections/ansible_collections/cisco/asa/plugins/cliconf/asa.py for network_os cisco.asa.asa
<192.168.10.1>
<192.168.10.1> local domain socket path is /home/ikhan/.ansible/pc/a5874044ce
<192.168.10.1> ESTABLISH LOCAL CONNECTION FOR USER: ikhan
<192.168.10.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995
" && echo ansible-tmp-1586226695.53-12192347931995="echo /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995
" ) && sleep 0'
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils
Using module_utils file ansible_collections/cisco/asa
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec
Using module_utils file ansible_collections/cisco/asa/plugins
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/config
Using module_utils file ansible_collections
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/basic.py
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/ogs/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs
Using module_utils file ansible_collections/cisco
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/cfg
Using module_utils file ansible_collections/ansible/netcommon/plugins
Using module_utils file ansible_collections/ansible/netcommon
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/utils
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/utils/utils
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/cfg/base
Using module_utils file ansible_collections/ansible
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/utils
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/six/init.py
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/ogs/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy/base
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/_text.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/connection.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/json.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/_collections_compat.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/collections.py
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/acls
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/acls/acls
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/network
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/netconf
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/parsing
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/parsing/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/parsing/convert_bool.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/network.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/text/formatters.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/validation.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/text/converters.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/pycompat24.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/warnings.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/text/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/process.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/_utils.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/parameters.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/_json_compat.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/sys_info.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/file.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/distro/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/distro/_distro.py
Using module file /home/ikhan/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py
<192.168.10.1> PUT /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/tmp0ZS8DQ TO /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/AnsiballZ_asa_ogs.py
<192.168.10.1> EXEC /bin/sh -c 'chmod u+x /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/ /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/AnsiballZ_asa_ogs.py && sleep 0'
<192.168.10.1> EXEC /bin/sh -c 'python /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/AnsiballZ_asa_ogs.py && sleep 0'
<192.168.10.1> EXEC /bin/sh -c 'rm -f -r /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/ > /dev/null 2>&1 && sleep 0'
changed: [192.168.10.1] => {
"after": [
{
"name": "test_og_network",
"network_object": {
"address": [
"192.0.2.0 255.255.255.0",
"198.51.100.0 255.255.255.0"
],
"host": [
"192.0.2.1",
"192.0.2.2"
]
},
"object_type": "network"
},
{
"group_object": "test_og_network",
"name": "test_network_og",
"object_type": "network"
}
],
"before": [
{
"description": "test_og_network",
"name": "test_og_network",
"network_object": {
"address": [
"192.0.2.0 255.255.255.0",
"198.51.100.0 255.255.255.0"
],
"host": [
"192.0.2.1",
"192.0.2.2"
]
},
"object_type": "network"
},
{
"description": "test network og",
"group_object": "test_og_network",
"name": "test_network_og",
"network_object": {
"host": [
"192.0.3.1",
"192.0.3.2"
]
},
"object_type": "network"
}
],
"changed": true,
"commands": [
"object-group network test_og_network",
"no description test_og_network",
"object-group network test_network_og",
"no description test network og",
"no network-object host 192.0.3.1",
"no network-object host 192.0.3.2"
],
"invocation": {
"module_args": {
"config": [
{
"description": "test_og_network",
"group_object": null,
"icmp_object": null,
"name": "test_og_network",
"network_object": {
"address": [
"192.0.2.0 255.255.255.0",
"198.51.100.0 255.255.255.0"
],
"host": [
"192.0.2.1",
"192.0.2.2"
],
"ipv6_address": null,
"object": null
},
"object_type": "network",
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
},
{
"description": "test network og",
"group_object": "test_og_network",
"icmp_object": null,
"name": "test_network_og",
"network_object": {
"address": null,
"host": [
"192.0.3.1",
"192.0.3.2"
],
"ipv6_address": [
"2001:db8:0:3::/64"
],
"object": null
},
"object_type": "network",
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
}
],
"running_config": null,
"state": "deleted"
}
}
}
META: ran handlers
META: ran handlers
PLAY RECAP ********************************************************************************************************************************************************************************************************
192.168.10.1 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Here is the ASA output after deleted operations:
iftyasa(config)# sh run object-group
object-group network test_og_network
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object 192.0.2.0 255.255.255.0
network-object 198.51.100.0 255.255.255.0
object-group network test_network_og
group-object test_og_network
Notice it deleted these two lines from ASA, but not rest:
network-object host 192.0.3.1
network-object host 192.0.3.2
When I run same deleted playbook again
I am left with this config on ASA
iftyasa(config)# sh run object-group
object-group network test_og_network
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object 192.0.2.0 255.255.255.0
network-object 198.51.100.0 255.255.255.0
so deleted operation is deleted one object group this time, but even after running same playbook again it is not deleting the other og. This is a bug and not a consistent behaviour.
ansible 2.10.dev0
Fedora 30
Delete the OGs
asa_config.py
ansible-2.9.7
ubuntu 20
When I run a command access-list test-acl-1 extended permit tcp object-group IP_Test host 10.22.5.38 eq 8080
and IP_Test
does not exist on my device, and then an error should happend, but not.
The error msg is more than 256 chars with CLI, but ansible tells me task is successful.
May link to ansible-collections/ansible.netcommon#201.
ansible reports update
ansible reports `error`
For the module asa_ogs, it will be good to have ACLs with object-group like this:
Module: asa_acls
Something like this will be fine:
- name: Merge provided configuration with device configuration
cisco.asa.asa_acls:
config:
- acls:
- name: global_access
acl_type: extended
aces:
- grant: permit
line: 1
protocol_options:
tcp: true
source:
network-object-group: devaccess-WEB
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: merged
When object-group contains dot "." symbol, "address" and "netmask" appears but should not.
cisco.asa.asa_acls
ansible 2.10.5
dmitry@host:~$ ansible-galaxy collection list cisco.asa
# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.asa 1.0.4
# /home/dmitry/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa 2.0.2
Ubuntu Server 21.04
dmitry@host:~$ cat small.txt
access-list l2_r_in line 480 extended permit tcp 10.20.20.0 255.255.255.0 object-group ALLSERV.12 eq 9389
access-list l2_r_in line 481 extended permit tcp 10.20.20.0 255.255.255.0 object-group ALLSERV12 eq 9389
---
- hosts: asa01
gather_facts: false
connection: network_cli
collections:
- cisco.asa
tasks:
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'small.txt') }}"
state: parsed
"parsed": {
"acls": [
{
"aces": [
{
"destination": {
"object_group": "ALLSERV.12",
"port_protocol": {
"eq": "9389"
}
},
"grant": "permit",
"line": 480,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"address": "10.20.20.0",
"netmask": "255.255.255.0"
}
},
{
"destination": {
"object_group": "ALLSERV12",
"port_protocol": {
"eq": "9389"
}
},
"grant": "permit",
"line": 481,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"address": "10.20.20.0",
"netmask": "255.255.255.0"
}
}
],
"acl_type": "extended",
"name": "l2_r_in"
}
]
}
"parsed": {
"acls": [
{
"aces": [
{
"destination": {
"address": "object-group", <---- EXTRA LINES
"netmask": "ALLSERV.12", <---- EXTRA LINES
"object_group": "ALLSERV.12",
"port_protocol": {
"eq": "9389"
}
},
"grant": "permit",
"line": 480,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"address": "10.20.20.0",
"netmask": "255.255.255.0"
}
},
{
"destination": {
"object_group": "ALLSERV12",
"port_protocol": {
"eq": "9389"
}
},
"grant": "permit",
"line": 481,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"address": "10.20.20.0",
"netmask": "255.255.255.0"
}
}
],
"acl_type": "extended",
"name": "l2_r_in"
}
]
}
When a setting is at the default already, and the asa_config module is provided that same configuration in the "lines" parameter, it appears to implement the configuration even though it exists already, with the "defaults" parameter set to "yes".
Collection Version
ansible.netcommon 2.0.0
ansible.utils 2.0.1
cisco.asa 2.0.0
cisco.asa.asa_config
ansible 2.10.3
config file = None
configured module search path = ['/Users/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/xxx/Library/Python/3.8/lib/python/site-packages/ansible
executable location = /Users/xxx/Library/Python/3.8/bin/ansible
python version = 3.8.2 (default, Dec 21 2020, 15:06:04) [Clang 12.0.0 (clang-1200.0.32.29)]
Targets tested on:
Cisco Adaptive Security Appliance Software Version 9.12(4)4
Cisco Adaptive Security Appliance Software Version 9.8(4)29
Ansible engine host is MacOS 11.2.3
Configure asa_config module task with "lines" including a default configuration (password-policy lifetime 0, for example)
Use parameter "defaults: yes" in order to force module to get "show run all" data for configuration comparison
If the configuration already exists, the module appears to implement it anyway
- name: implement the change on the device
cisco.asa.asa_config:
lines:
- password-policy lifetime 0
save: yes
defaults: yes
Command is not implemented / "updates" is empty
Command appears to be implemented / "updates" is populated
Monitoring with "terminal monitor" also confirms the command is implemented:
%ASA-5-111007: Begin configuration: x.x.x.x reading from terminal
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'configure terminal'
%ASA-5-111008: User 'enable_15' executed the 'password-policy lifetime 0' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'password-policy lifetime 0'
%ASA-5-111005: x.x.x.x end configuration: OK
changed: [x.x.x.x] => {
"changed": true,
"invocation": {
"module_args": {
"after": null,
"authorize": null,
"backup": false,
"backup_options": null,
"before": null,
"config": null,
"context": null,
"defaults": true,
"lines": [
"password-policy lifetime 0"
],
"match": "line",
"parents": null,
"passwords": null,
"provider": null,
"replace": "line",
"save": true,
"src": null
}
},
"updates": [
"password-policy lifetime 0"
]
}
Add support for service object groups
ASA Config:
object-group service global-dns-ports
description: global dns ports
service-object tcp destination eq domain
service-object udp destination eq domain
cisco.asa.asa_ogs:
It would complete the OGS management of the ASAs.
Output from "gathered" module shows empty despite having objects in the service object group
"object_groups": [
{
"description": "ansible_test object-group description",
"name": "ansible_test_2"
},
{
"description": "global dns ports",
"name": "global-dns-ports"
},
]
From @djedovica on Jul 08, 2020 09:12
I have a port 80 in the port group on the firewall. When I send a task with state:replace the port 80 will always be removed from this group. When I send once again the same task, the port 80 will be created in this port group. By next attempt it will be removed, and then created etc. I get no errors from ansible.
I have also tested with other ports and the same problem appears with port 67. Other ports that I have tested seem to work properly (of course, I haven’t tested all possible ports).
The same problem appears when using port range with port 90 (Example: port_range: 80 90).
asa_og
ansible 2.8.4
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
DEFAULT_HASH_BEHAVIOUR(/etc/ansible/ansible.cfg) = merge
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /root/.ssh/id_rsa
DEFAULT_PRIVATE_ROLE_VARS(/etc/ansible/ansible.cfg) = True
DEFAULT_VAULT_PASSWORD_FILE(/etc/ansible/ansible.cfg) = /root/.ansible/vault.key
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PARAMIKO_HOST_KEY_AUTO_ADD(/etc/ansible/ansible.cfg) = True
PERSISTENT_CONNECT_TIMEOUT(/etc/ansible/ansible.cfg) = 30
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False
Centos 7.7
Firewall: ASA 5515
I have two tasks: one for creating a port-group with state: present and second to edit a port-group with state: replace. The problem appears when I send a task with state:replace. This task is always going to delete port 80 from port-group.
For example:
First task:
- name: configure port-object object-group
asa_og:
name: port_group_test_7
group_type: port-object
state: present
description: description
protocol: tcp-udp
port_eq:
- "80"
- "90"
port_range:
tags:
- port_group1
Second Task:
- name: configure port-object object-group
asa_og:
name: port_group_test_7
group_type: port-object
state: replace
description: description
protocol: tcp-udp
port_eq:
- "80"
- "91"
port_range:
tags:
- port_group1
In this example, the difference is that I have replaced port 90 with port 91. After executing Task 1, on the firewall is created a port-group with ports: 80 and 90 (there is no problem). After executing Task 2, the group on the firewall will contain only the port 91, the port 80 is deleted.
I expect that port group contains ports: 80, 91
After first execution: port group contains only port 91
After second execution: port group contains ports 80, 91
After third execution: port group contains only port 91
etc.
Copied from original issue: ansible/ansible#70518
If we have ACL where there are network-object-group, and I play a playbook with the module asa_acls with the state: gathered, I obtain an issue.
ansible 2.9.6
--
I have this list of ACLs.
access-list ACI-PBR line 51 extended permit tcp object-group devaccess-dockertest object-group devaccess-dockertest-endpoints eq 3389 (hitcnt=0) 0x961626dc
access-list ACI-PBR line 51 extended permit tcp host 1.1.1.1 host 1.1.1.1 eq 3389 (hitcnt=0) 0xcf956318
access-list ACI-PBR line 51 extended permit tcp host 172.19.4.74 host 1.1.1.1 eq 3389 (hitcnt=0) 0x08b394cc
access-list ACI-PBR line 51 extended permit tcp host 172.25.7.134 host 1.1.1.1 eq 3389 (hitcnt=0) 0x753ed89c
access-list ACI-PBR line 51 extended permit tcp host 172.26.5.167 host 1.1.1.1 eq 3389 (hitcnt=0) 0x27a90068
access-list ACI-PBR line 51 extended permit tcp host 172.30.5.81 host 1.1.1.1 eq 3389 (hitcnt=0) 0x8de1b244
access-list ACI-PBR line 51 extended permit tcp host 192.168.1.72 host 1.1.1.1 eq 3389 (hitcnt=0) 0x3b079250
access-list ACI-PBR line 52 extended permit tcp object-group devaccess-dockertest object-group devaccess-dockertest-endpoints eq 5900 (hitcnt=0) 0x7b6b76d7
access-list ACI-PBR line 52 extended permit tcp host 1.1.1.1 host 1.1.1.1 eq 5900 (hitcnt=0) 0x695a0127
access-list ACI-PBR line 52 extended permit tcp host 172.19.4.74 host 1.1.1.1 eq 5900 (hitcnt=0) 0xf6e22d3a
access-list ACI-PBR line 52 extended permit tcp host 172.25.7.134 host 1.1.1.1 eq 5900 (hitcnt=0) 0x7314f207
access-list ACI-PBR line 52 extended permit tcp host 172.26.5.167 host 1.1.1.1 eq 5900 (hitcnt=0) 0x07da2b97
access-list ACI-PBR line 52 extended permit tcp host 172.30.5.81 host 1.1.1.1 eq 5900 (hitcnt=0) 0xcfdb417c
access-list ACI-PBR line 52 extended permit tcp host 192.168.1.72 host 1.1.1.1 eq 5900 (hitcnt=0) 0x87525554
The playbook that I use is the following:
---
- hosts: asa
gather_facts: false
connection: network_cli
collections:
- cisco.asa
tasks:
- name: Gather listed ACLs with provided configurations
cisco.asa.asa_acls:
config:
state: gathered
It's failed with the following message.
....
File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
File "/tmp/ansible_cisco.asa.asa_acls_payload_3F2REH/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
File "/tmp/ansible_cisco.asa.asa_acls_payload_3F2REH/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 96, in populate_port_protocol
RuntimeError: maximum recursion depth exceeded in cmp
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
rc: 1
When running a playbook to replace a certain ACL with new/modified lines it leaves orphaned lines behind without deleting them.
asa_acls
ansible 2.9.15
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/abusse/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = auto_legacy_silent
Debian 10.6
ASA is running version 9.9(1)2
Collections used:
ansible.netcommon:1.4.2-dev2
cisco.asa:1.0.4
Before state:
# sh access-list ansible_test
access-list ansible_test; 3 elements; name hash: 0x1b2b1138
access-list ansible_test line 1 remark HostA
access-list ansible_test line 2 extended deny ip host 1.1.1.1 any4 (hitcnt=0) 0xc24d3351
access-list ansible_test line 3 remark HostB
access-list ansible_test line 4 extended permit ip host 2.2.2.2 any4 (hitcnt=0) 0x44cd4b7e
access-list ansible_test line 5 remark HostC
access-list ansible_test line 6 extended permit ip host 3.3.3.3 any4 (hitcnt=0) 0x4c8c99d5
Playbook used:
---
- hosts: devpn
connection: network_cli
gather_facts: no
become: yes
become_method: enable
vars_files:
- ./svc_credentials.yml
collections:
- cisco.asa
tasks:
- name: "TASK 1: Create ansible_test ACL"
asa_acls:
config:
acls:
- name: ansible_test
acl_type: extended
aces:
- line: 1
remark: HostA0
- grant: deny
line: 2
protocol: ip
source:
host: 1.1.1.1
destination:
any4: true
- line: 3
remark: HostB1
- grant: permit
line: 4
protocol: ip
source:
host: 2.2.2.2
destination:
any4: true
- line: 5
remark: HostC2
- grant: permit
line: 6
protocol: ip
source:
host: 3.3.3.3
destination:
any4: true
state: replaced
# sh access-list ansible_test
access-list ansible_test; 3 elements; name hash: 0x1b2b1138
access-list ansible_test line 1 remark HostA0
access-list ansible_test line 2 extended deny ip host 1.1.1.1 any4 (hitcnt=0) 0xc24d3351
access-list ansible_test line 3 remark HostB1
access-list ansible_test line 4 extended permit ip host 2.2.2.2 any4 (hitcnt=0) 0x44cd4b7e
access-list ansible_test line 5 remark HostC2
access-list ansible_test line 6 extended permit ip host 3.3.3.3 any4 (hitcnt=0) 0x4c8c99d5
The ACL has been partially updated but left old remarks behind.
# sh access-list ansible_test
access-list ansible_test; 3 elements; name hash: 0x1b2b1138
access-list ansible_test line 1 remark HostAA
access-list ansible_test line 2 remark HostA
access-list ansible_test line 3 remark HostBB
access-list ansible_test line 4 extended deny ip host 1.1.1.1 any4 (hitcnt=0) 0xc24d3351
access-list ansible_test line 5 remark HostCC
access-list ansible_test line 6 remark HostB
access-list ansible_test line 7 extended permit ip host 2.2.2.2 any4 (hitcnt=0) 0x44cd4b7e
access-list ansible_test line 8 remark HostC
access-list ansible_test line 9 extended permit ip host 3.3.3.3 any4 (hitcnt=0) 0x4c8c99d5
ASA ACLs resource module not working with host info in either source/destination
asa_acls
stable-2.9 and devel
---
- hosts: devpn
connection: network_cli
gather_facts: no
become: yes
become_method: enable
vars_files:
- ./credentials.yml
collections:
- cisco.asa
tasks:
- name: "TASK 1: Create ansible_test ACL"
asa_acls: &id001
config:
- acls:
- name: ansible_test
acl_type: extended
aces:
- remark: HostA
- grant: permit
protocol: ip
source:
host: 1.1.1.1
destination:
any: true
- remark: HostB
- grant: permit
protocol: ip
source:
host: 2.2.2.2
destination:
any: true
state: replaced
It should pass and create ACL entry with host-specific ACE
$ ansible-playbook -i staging acl.yml --check --ask-vault-pass -v
Using /etc/ansible/ansible.cfg as config file
Vault password:
PLAY [devpn] ***********************************************************************************************************************************
TASK [TASK 1: Create ansible_test ACL] *********************************************************************************************************
fatal: [devpn]: FAILED! => changed=false
ansible_facts:
discovered_interpreter_python: /usr/bin/python
msg: 'Unsupported parameters for (asa_acls) module: host found in config -> acls -> aces -> source. Supported parameters include: address, any, netmask, port_protocol'
PLAY RECAP *************************************************************************************************************************************
devpn : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
When trying to run the asa_ogs or asa_acls modules with the "status: gathered" parameter as illustrated in the documentation examples, the error, "ImportError: jinja2 is required but does not appear to be installed" is received.
cisco.asa.asa_ogs
cisco.asa.asa_acls
Thu May 20 12:53:37 test_playbooks $ ansible --version
ansible 2.10.3
config file = None
configured module search path = ['<path>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = <path>/Library/Python/3.8/lib/python/site-packages/ansible
executable location = <path>/Library/Python/3.8/bin/ansible
python version = 3.8.2 (default, Apr 8 2021, 23:19:18) [Clang 12.0.5 (clang-1205.0.22.9)]
Thu May 20 12:53:44 test_playbooks $ ansible-galaxy collection list
# <path>/.ansible/collections/ansible_collections
Collection Version
---------------------- -------
ansible.netcommon 2.0.0
ansible.utils 2.0.1
cisco.asa 2.0.2
paloaltonetworks.panos 2.5.0
Thu May 20 12:53:53 test_playbooks $
Even after upgrading netcommon and utils the errors remain:
Thu May 20 13:28:22 test_playbooks $ ansible-galaxy collection list
# <path>/.ansible/collections/ansible_collections
Collection Version
---------------------- -------
ansible.netcommon 2.1.0
ansible.utils 2.2.0
cisco.asa 2.0.2
paloaltonetworks.panos 2.5.0
Thu May 20 13:28:26 test_playbooks $
Thu May 20 13:37:28 test_playbooks $ ansible-config dump --only-changed
Thu May 20 13:37:32 test_playbooks
MacOS 11.3.1 (20E241)
jinja2 is definitely installed and works for other playbooks, as templates are used often:
Thu May 20 12:59:58 ~ $ pip install jinja2
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: jinja2 in ./Library/Python/3.8/lib/python/site-packages (2.11.2)
Requirement already satisfied: MarkupSafe>=0.23 in ./Library/Python/3.8/lib/python/site-packages (from jinja2) (1.1.1)
Thu May 20 13:00:29 ~ $
Create a playbook with the sample task for "status: gathered" from the module documentation for either the asa_ogs or asa_acls
# Task configuration (as shown in the documentation examples):
- name: Gather listed OGs with provided configurations
cisco.asa.asa_ogs:
config:
state: gathered
# Same for ACLs:
- name: Gather listed ACLs with provided configurations
cisco.asa.asa_acls:
config:
state: gathered
Object-groups or ACLs are gathered
ImportError for jinja2
Thu May 20 12:52:12 test_playbooks $ ansible-playbook -i ../inventory test_asa_gather_network_groups.yml
PLAY [Testing cisco.asa.asa_ogs module] *********************************************************************************************************************
TASK [Gather listed OGs with provided configurations] *******************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: jinja2 is required but does not appear to be installed. It can be installed using `pip install jinja2`
[WARNING]: Platform darwin on host <ip> is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python
interpreter could change the meaning of that path. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more
information.
fatal: [<ip>]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"<path>/.ansible/tmp/ansible-local-16526dqu7n_cj/ansible-tmp-1621536739.773023-16530-253068423146480/AnsiballZ_asa_ogs.py\", line 102, in <module>\n _ansiballz_main()\n File \"<path>/.ansible/tmp/ansible-local-16526dqu7n_cj/ansible-tmp-1621536739.773023-16530-253068423146480/AnsiballZ_asa_ogs.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"<path>/.ansible/tmp/ansible-local-16526dqu7n_cj/ansible-tmp-1621536739.773023-16530-253068423146480/AnsiballZ_asa_ogs.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_ogs', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py\", line 918, in <module>\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py\", line 912, in main\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py\", line 48, in __init__\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/rm_templates/ogs.py\", line 111, in __init__\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/rm_base/network_template.py\", line 27, in __init__\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/utils.py\", line 726, in __init__\nImportError: jinja2 is required but does not appear to be installed. It can be installed using `pip install jinja2`\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP **************************************************************************************************************************************************
<ip> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Thu May 20 12:52:22 test_playbooks $
Thu May 20 12:52:27 test_playbooks $
Thu May 20 12:52:27 test_playbooks $
Thu May 20 12:52:27 test_playbooks $ ansible-playbook -i ../inventory test_asa_gather_network_groups.yml
PLAY [Testing cisco.asa.asa_ogs module] *********************************************************************************************************************
TASK [Gather listed ACLs with provided configurations] ******************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: jinja2 is required but does not appear to be installed. It can be installed using `pip install jinja2`
[WARNING]: Platform darwin on host <ip> is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python
interpreter could change the meaning of that path. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more
information.
fatal: [<ip>]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"<path>/.ansible/tmp/ansible-local-16555fvyj4v4k/ansible-tmp-1621536754.536745-16559-218329172548531/AnsiballZ_asa_acls.py\", line 102, in <module>\n _ansiballz_main()\n File \"<path>/.ansible/tmp/ansible-local-16555fvyj4v4k/ansible-tmp-1621536754.536745-16559-218329172548531/AnsiballZ_asa_acls.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"<path>/.ansible/tmp/ansible-local-16555fvyj4v4k/ansible-tmp-1621536754.536745-16559-218329172548531/AnsiballZ_asa_acls.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1258, in <module>\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1253, in main\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py\", line 48, in __init__\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/rm_templates/acls.py\", line 125, in __init__\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/rm_base/network_template.py\", line 27, in __init__\n File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/utils.py\", line 726, in __init__\nImportError: jinja2 is required but does not appear to be installed. It can be installed using `pip install jinja2`\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP **************************************************************************************************************************************************
<ip> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Thu May 20 12:52:37 test_playbooks $
There is no destination section when source port range present in ACL
cisco.asa.asa_acls
ansible 2.10.5
dmitry@host:~$ ansible-galaxy collection list cisco.asa
# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.asa 1.0.4
# /home/dmitry/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa 2.0.2
Ubuntu Server 21.04
dmitry@host:~$ cat small.txt
access-list management_in line 160 extended permit tcp host 10.20.20.5 range 49152 65535 10.30.30.0 255.255.255.0 eq 100
access-list management_in line 160 extended permit tcp host 10.20.20.5 10.30.30.0 255.255.255.0 eq 100
---
- hosts: asa01
gather_facts: false
connection: network_cli
collections:
- cisco.asa
tasks:
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'small.txt') }}"
state: parsed
"parsed": {
"acls": [
{
"aces": [
{
"destination": {
"address": "10.30.30.0",
"netmask": "255.255.255.0",
"port_protocol": {
"eq": "100"
}
},
"grant": "permit",
"line": 160,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"host": "10.20.20.5",
"port_protocol": {
"range": {
"end": 65535,
"start": 49152
}
}
}
},
{
"destination": {
"address": "10.30.30.0",
"netmask": "255.255.255.0",
"port_protocol": {
"eq": "100"
}
},
"grant": "permit",
"line": 160,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"host": "10.20.20.5"
}
}
],
"acl_type": "extended",
"name": "management_in"
}
]
}
"parsed": {
"acls": [
{
"aces": [
{
"grant": "permit", <--- NO DESTINATION
"line": 160,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"host": "10.20.20.5" <--- NO SOURCE PORT RANGE
}
},
{
"destination": {
"address": "10.30.30.0",
"netmask": "255.255.255.0",
"port_protocol": {
"eq": "100"
}
},
"grant": "permit",
"line": 160,
"protocol": "tcp",
"protocol_options": {
"tcp": true
},
"source": {
"host": "10.20.20.5"
}
}
],
"acl_type": "extended",
"name": "management_in"
}
]
}
Facing an error when trying to set a source or destination to any in playbook while using asa_acls module.
asa_acls
ansible --version
ansible 2.9.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/abusse/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]
ansible-config dump --only-changed
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = auto_legacy_silent
Debian 10.4
ASA is running version 9.9(1)2
Collections used:
ansible.netcommon:0.0.3-dev51
cisco.asa:0.0.2-dev15
Playbook used:
---
- hosts: devpn
connection: network_cli
gather_facts: no
become: yes
become_method: enable
vars_files:
- ./credentials.yml
collections:
- cisco.asa
tasks:
- name: "TASK 1: Create ansible_test ACL"
asa_acls: &id001
config:
- acls:
- name: ansible_test
acl_type: extended
aces:
- remark: HostA
- grant: permit
protocol: ip
source:
host: 1.1.1.1
destination:
any: true
- remark: HostB
- grant: permit
protocol: ip
source:
host: 2.2.2.2
destination:
any: true
- remark: HostC
- grant: permit
protocol: ip
source:
host: 3.3.3.3
destination:
any: true
state: replaced
The output below should be the result on the ASA.
devpn# sh run access-list ansible_test
access-list ansible_test remark HostA
access-list ansible_test extended permit ip host 1.1.1.1 any
access-list ansible_test remark HostB
access-list ansible_test extended permit ip host 2.2.2.2 any
access-list ansible_test remark HostC
access-list ansible_test extended permit ip host 3.3.3.3 any
$ ansible-playbook --ask-vault-pass --check -i staging acl.yml -v
Using /etc/ansible/ansible.cfg as config file
Vault password:
PLAY [devpn] ******************************************************************************************************************************************************
TASK [TASK 1: Create ansible_test ACL] ****************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'any' is not in list
fatal: [devpn]: FAILED! => changed=false
ansible_facts:
discovered_interpreter_python: /usr/bin/python
module_stderr: |-
Traceback (most recent call last):
File "/home/abusse/.ansible/tmp/ansible-local-15293098Y72/ansible-tmp-1591790115.48-15300-4341809460479/AnsiballZ_asa_acls.py", line 102, in <module>
_ansiballz_main()
File "/home/abusse/.ansible/tmp/ansible-local-15293098Y72/ansible-tmp-1591790115.48-15300-4341809460479/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/abusse/.ansible/tmp/ansible-local-15293098Y72/ansible-tmp-1591790115.48-15300-4341809460479/AnsiballZ_asa_acls.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib/python2.7/runpy.py", line 188, in run_module
fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 82, in _run_module_code
mod_name, mod_fname, mod_loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1194, in <module>
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1189, in main
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 71, in execute_module
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 53, in get_acls_facts
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py", line 60, in get_facts
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py", line 131, in get_network_resources_facts
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 70, in populate_facts
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 397, in render_config
File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 193, in populate_source_destination
ValueError: 'any' is not in list
module_stdout: ''
msg: |-
MODULE FAILURE
See stdout/stderr for the exact error
rc: 1
PLAY RECAP ********************************************************************************************************************************************************
devpn : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
asa_acls with state: replaced
fails to remove ACEs with IPv6 source addresses.
ansible 2.9.15
python version = 3.8.2 (default, Jul 4 2020, 11:16:10) [GCC 8.3.0]
ENABLE_TASK_DEBUGGER(env: ANSIBLE_ENABLE_TASK_DEBUGGER) = True
ASA 5506 9.15(1)10
access-list TEST-ACL line 9 extended permit ip host 2001:db8::1 any6
state: replaced
A complete command is sent to the device to remove the ACE.
no access-list TEST-ACL line 9 extended permit ip host 2001:db8::1 any6
The ACE is not removed because an incomplete command is being sent:
[ASA] TASK: asa_acls : Ensure ACLs are configured (debug)> p result._result['commands']
['no access-list TEST-ACL line 9 extended permit ip', <-- The command is incomplete.
[...]
before
is also incorrect and doesn't contain any ACEs with ip host <ipv6 address>
.
Return value "ansible_net_model" is absent when requesting ASA facts via CISCO ASA Ansible Collection.
cisco.asa.asa_facts – Collect facts from remote devices running Cisco ASA
ansible 2.10.3
COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/etc/ansible/collections']
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']
For example: Cisco ASA5508, Cisco FPR2110
Get facts from device using "cisco.asa.asa_facts" plugin
- hosts: asa
connection: network_cli
gather_facts: no
vars:
ansible_python_interpreter: /usr/bin/python3.6
ansible_user: name
ansible_ssh_pass: passwd
ansible_become: true
ansible_become_method: ansible.netcommon.enable
ansible_become_pass: become_password
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.asa.asa
collections:
- cisco.asa
tasks:
- name: Gather all legacy facts
asa_facts:
gather_subset: all
I expect to see "ansible_net_model" in returned value as it stated in documentation https://docs.ansible.com/ansible/2.10/collections/cisco/asa/asa_facts_module.html
"ansible_net_model" is not seen in response.
Module asa_ogs show unexpected behavior while using network_object parameter
ansible 2.9.9
python version = 3.8.5 (default, Jan 27 2021, 15:41:15) [GCC 9.3.0]
command_timeout = 60
host_key_checking = False
Tested against ASA 5525-X - Version: 9.14(2)8,
Ansible running on Ubuntu 20.04.2 LTS
Run the asa_ogs module with the "network_object" parameter in a task.
Following task as an example - found in the documentation (https://github.com/ansible-collections/cisco.asa/blob/main/docs/cisco.asa.asa_ogs_module.rst)
- name: "Merge module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network
network_object:
host:
- 192.0.2.1
- 192.0.2.2
address:
- 192.0.2.0 255.255.255.0
- 198.51.100.0 255.255.255.0
Module creates network object as specified.
Module raises the following error at playbook launch:
"msg": "Unsupported parameters for (basic.py) module: object found in config -> object_groups -> network_object. Supported parameters include: address, host, ipv6_address"
When using module cisco.asa.asa_acls with state:gathered does not correctly parse and collect standard access-list entries. All entries utilizing subnet and netmask are not gathered. Only 'host' entries are gathered.
cisco.asa.asa_acls:
state: gathered
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
DEFAULT_TERMINAL_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/usr/share/ansible/plugins/terminal', '/etc/ansible/plugins/t>
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
Red Hat Enterprise Linux release 8.2 (Ootpa)
I have tested with failures against the following Cisco devices:
Cisco Firepower2110 running ASA code 9.12(3)12
Cisco ASA 5525X running ASA code 9.4(4)37
access-list TEST-ACCESS-LIST standard permit 10.0.0.0 255.0.0.0
access-list TEST-ACCESS-LIST standard permit 172.16.0.0 255.240.0.0
access-list TEST-ACCESS-LIST standard permit host 192.168.1.1
access-list TEST-ACCESS-LIST standard permit host 192.168.2.1
- name: Gather ACLs
cisco.asa.asa_acls:
state: gathered
register: acls
- name: Print ACLs
debug:
var: acls
ACL parsing should have included address/netmask of acl entries as shown below for line 1 and line 2 aces
PLAY [Configure Test VPN] ***************************************************************************************
TASK [Gather ACLs] ******************************************************************************************************
ok: [10.1.1.1]
TASK [debug] ************************************************************************************************************
ok: [10.1.1.1] =>
acls:
ansible_facts:
discovered_interpreter_python: /usr/libexec/platform-python
changed: false
failed: false
gathered:
- acls:
- aces:
- destination:
address: 10.0.0.0
netmask: 255.0.0.0
line: 1
grant: permit
- destination:
address: 172.16.0.0
netmask: 255.240.0.0
line: 2
grant: permit
- destination:
host: 192.168.1.1
grant: permit
line: 3
- destination:
host: 192.168.2.1
grant: permit
line: 4
acl_type: standard
name: TEST-ACCESS-LIST
Instead of including line 1 and line 2 aces, the output of gathered did not include them and started with the host entries on line 3 and 4
PLAY [Configure Test VPN] ***************************************************************************************
TASK [Gather ACLs] ******************************************************************************************************
ok: [10.1.1.1]
TASK [debug] ************************************************************************************************************
ok: [10.1.1.1] =>
acls:
ansible_facts:
discovered_interpreter_python: /usr/libexec/platform-python
changed: false
failed: false
gathered:
- acls:
- aces:
- destination:
host: 192.168.1.1
grant: permit
line: 3
- destination:
host: 192.168.2.1
grant: permit
line: 4
acl_type: standard
name: TEST-ACCESS-LIST
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.