topic Re: ASA REST-API in Network Security

ASA REST-API

Denis Orlov — Fri, 22 Feb 2019 11:47:07 GMT

Hi, all.

I have Cisco ASA 5515X with installed REST-API agent

asa# sh run | i rest
rest-api image disk0:/asa-restapi-132325-lfbff-k8.SPA
rest-api agent

Using ASDM I can successfully create copy of ACE in ACL, I mean that I can in ACL create two absolutely equal ACEs.

When I'm trying to create copy of existing ACE in the same ACL using REST API, I'm getting the following error:

stdClass Object (

[messages] => Array (

[0] => stdClass Object ( [level] => Error [code] => DUPLICATE [context] => objectId [details] => 1178952304 ) )

)

So, Is there any way to create two equal ACEs in one ACL using REST API?

Re: ASA REST-API

ngkin2010 — Fri, 22 Feb 2019 11:57:33 GMT

>>> Using ASDM I can successfully create copy of ACE in ACL, I mean that I can in ACL create two absolutely equal ACEs.

Hello, are you sure you could create duplicate ACE? As it should not allowed on command line.

I guess ASDM was doing it by creating different object-groups; for example:

object-group network DM_INLINE_NETWORK_1
network 8.8.8.8 255.255.255.255

object-group network DM_INLINE_NETWORK_2
network 8.8.8.8 255.255.255.255

access-list ACL permit ip extended host 192.168.0.2 object-group DM_INLINE_NETWORK_1
access-list ACL permit ip extended host 192.168.0.2 object-group DM_INLINE_NETWORK_2

You may follow the same logic to do via REST API.

Re: ASA REST-API

Denis Orlov — Fri, 22 Feb 2019 13:39:35 GMT

Yes, now I try to create duplicate ACE using CLI and get following message:

"WARNING: <anyconnect_test_api_acl> found duplicate element"

So, using CLI I also cannot create copy of existing ACE in the same ACL.

Now I try to explain why it so important for me.

I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.

Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.

So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.

We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I try to use "PATCH" method for changing ACE position, I'm getting the following error:

string(155) "{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"

Why Cisco imposed such restriction on API?

And is there any workaround?

P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.

Re: ASA REST-API

Denis Orlov — Fri, 22 Feb 2019 13:43:31 GMT

Yes, now I try to create duplicate ACE using CLI and get following message:

"WARNING: <anyconnect_test_api_acl> found duplicate element"

So, using CLI I also cannot create copy of existing ACE in the same ACL.

Now I try to explain why it so important for me.

I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.

Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.

So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.

string(155) "{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"

Why Cisco imposed such restriction on API?

And is there any workaround?

P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.

Re: ASA REST-API

Denis Orlov — Fri, 22 Feb 2019 13:48:33 GMT

Yes, now I try to create duplicate ACE using CLI and get following message:

"WARNING: <anyconnect_test_api_acl> found duplicate element"

So, using CLI I also cannot create copy of existing ACE in the same ACL.

Now I try to explain why it so important for me.

I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.

Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.

So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.

"{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"

Why Cisco imposed such restriction on API?

And is there any workaround?

P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.

Re: ASA REST-API

ngkin2010 — Fri, 22 Feb 2019 16:19:41 GMT

Would you mind to post your JSON POST Data? E.g. What JSON did you POST to REST API for moving the position of ACE?

Re: ASA REST-API

ngkin2010 — Fri, 22 Feb 2019 17:01:58 GMT

I have did a quick lab, and it works well for me. using PATCH request to swap the position as show in the figure.

Re: ASA REST-API

Denis Orlov — Mon, 25 Feb 2019 08:42:35 GMT

Here is example of existing ACE JSON structure:

{

"kind":"object#ExtendedACE",

"selfLink":"https://x.x.x.x/api/access/in/TP/rules/556116732",

"permit":true,

"sourceAddress":{

"kind":"objectRef#NetworkObj",

"refLink":"https://x.x.x.x/api/objects/networkobjects/MA_TP",

"objectId":"MA_TP"

"destinationAddress":{

"kind":"objectRef#NetworkObjGroup",

"refLink":"https://x.x.x.x/api/objects/networkobjectgroups/ma-vnc",

"objectId":"ma-vnc"

"sourceService":{

"kind":"NetworkProtocol",

"value":"ip"

"destinationService":{

"kind":"objectRef#TcpUdpServiceObj",

"refLink":"https://x.x.x.x/api/objects/networkservices/tcp-1024-65535",

"objectId":"tcp-1024-65535"

"active":true,

"remarks":[],

"ruleLogging":{

"logStatus":"Default",

"logInterval":300

"position":2,

"isAccessRule":true,

"objectId":"556116732"

}

Now I'm trying to PATCH this ACE to renumber it. And here I get this:

Error when PATCH

@ngkin2010 Can you reproduce this?

Re: ASA REST-API

ngkin2010 — Mon, 25 Feb 2019 11:25:15 GMT

I am trying to reproduce your error with the following ACE (in command line format).

and I try to check on the GET result to see whether is look similar to yours.

It look similar! so I go ahead to reproduce your issue:

I got your issue now. That's look like is the BUG. Because if you are using "enhanced object groups" (wrapping services into object-group), the sourceService will be set to "ip" while the destination is objectRef#TcpUdpServiceObj. The mismatching protocol caused the error message.

So, if your object-group (E.g. tcp-1024-65535) contains only TCP service, you could use the following method as a workaround. You also specify the protocol value at the first time.

Then it will work.

If your object contains multiple protocols (E.g. UDP + TCP), you can still set the PATCH like below even through it contains both TCP/UDP.

{
"position": 2,
"sourceService": {
"value": "tcp"
}
}

You are recommended to open a TAC case to report this bug for a fix.

Re: ASA REST-API

Denis Orlov — Mon, 25 Feb 2019 11:41:01 GMT

Yes, you absolutely right.

A must also note the following:

1) If I create such ACE (as in my example) using ASDM, then ACE is created with "IP" as SourceService.

2) But if I create the same ACE using API, then ACE is created with "TCP" as SourceService

😃

So, you can face with this BUG only if you created you ACE ins ASDM or CLI, and after that you trying to PATCH it using API.

If you have created ACE using API all will be ok, because using API ASA modify sourceService accordinly.