02-27-2020 12:00 PM
I'm attempting to use the ASA REST API to programmatically configure a few hundred firewalls that already have ACL's configured on them. The ACL's are similar to the following:
access-list IN extended permit tcp any gt 1023 object-group internal eq ssh access-list IN extended permit tcp any gt 1023 object-group internal object-group cpanel access-list IN extended permit icmp any any time-exceeded access-list IN extended permit ip object-group full-access object-group internal access-list IN extended permit object-group tcp-udp any object-group internal eq domain access-list IN extended permit tcp any gt 1023 object-group internal object-group web access-list IN extended permit tcp any gt 1023 object-group internal object-group ftp
The problem is modifying or adding an ACE that's similar to the aforementioned list using the REST API:
POST to "{"url":"/api/objects/extendedacls/IN/aces"}" { "permit": true, "sourceAddress": { "kind": "AnyIPAddress", "value": "any" }, "destinationAddress": { "kind": "objectRef#NetworkObjGroup", "objectId": "internal" }, "sourceService": { "kind": "TcpUdpService", "value": ">tcp/1023" }, "destinationService": { "kind": "objectRef#TcpServiceGroup", "objectId": "ftp" }, "active": true, "position": 8 }
This returns:
{ "messages": [ { "level": "Error", "code": "ACCESS-SRC-DST-SAME-IP-VER", "details": "Source and Destination addresses should be of the same IP version." } ] }
If I change 'objectRef#NetworkObjGroup' to 'object#NetworkObjGroup' to match what I return when I lookup network object groups via the API:
{ "kind": "object#NetworkObjGroup", "name": "internal", "description": "", "objectId": "internal" }
I get this error:
{ "messages": [ { "level": "Error", "code": "JSON-MAPPING-ERROR", "context": "destinationAddress", "details": "object#NetworkObjGroup- object 'internal' not found" } ] }
Any help would be greatly appreciated.
04-16-2020 09:44 PM
04-29-2020 03:13 PM
Could this error be because you used "any", which means ipv4 or ipv6, rather than "any4" ?
"Source and Destination addresses should be of the same IP version."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide