cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5110
Views
0
Helpful
9
Replies

ASA REST-API

Denis Orlov
Level 1
Level 1

Hi, all.

I have Cisco ASA 5515X with installed REST-API agent

asa# sh run | i rest
rest-api image disk0:/asa-restapi-132325-lfbff-k8.SPA
rest-api agent

Using ASDM I can successfully create copy of ACE in ACL, I mean that I can in ACL create two absolutely equal ACEs.

When I'm trying to create copy of existing ACE in the same ACL using REST API, I'm getting the following error:

stdClass Object (

[messages] => Array (

[0] => stdClass Object ( [level] => Error [code] => DUPLICATE [context] => objectId [details] => 1178952304 ) )

)

So, Is there any way to create two equal ACEs in one ACL using REST API?

2 Accepted Solutions

Accepted Solutions

I am trying to reproduce your error with the following ACE (in command line format).

 

cli.PNG

and I try to check on the GET result to see whether is look similar to yours.

before.PNG

  

It look similar! so I go ahead to reproduce your issue:

 

error.PNG

 

I got your issue now. That's look like is the BUG. Because if you are using "enhanced object groups" (wrapping services into object-group), the sourceService will be set to "ip" while the destination is objectRef#TcpUdpServiceObj. The mismatching protocol caused the error message.

 

So, if your object-group (E.g. tcp-1024-65535) contains only TCP service, you could use the following method as a workaround. You also specify the protocol value at the first time.

 

after.PNG

 

Then it will work.

 

after2.PNG

 

If your object contains multiple protocols (E.g. UDP + TCP), you can still set the PATCH like below even through it contains both TCP/UDP.

 

{
"position": 2,
"sourceService": {
"value": "tcp"
}
}

 

 

You are recommended to open a TAC case to report this bug for a fix.

View solution in original post

Yes, you absolutely right.

A must also note the following:

1) If  I create such ACE (as in my example) using ASDM, then ACE is created with "IP" as SourceService.

2) But if I create the same ACE using API, then ACE is created with "TCP" as SourceService

=)

So, you can face with this BUG only if you created you ACE ins ASDM or CLI, and after that you trying to PATCH it using API.

If you have created ACE using API all will be ok, because using API ASA modify sourceService accordinly.

View solution in original post

9 Replies 9

ngkin2010
Level 7
Level 7
>>> Using ASDM I can successfully create copy of ACE in ACL, I mean that I can in ACL create two absolutely equal ACEs.

Hello, are you sure you could create duplicate ACE? As it should not allowed on command line.

I guess ASDM was doing it by creating different object-groups; for example:

object-group network DM_INLINE_NETWORK_1
network 8.8.8.8 255.255.255.255

object-group network DM_INLINE_NETWORK_2
network 8.8.8.8 255.255.255.255

access-list ACL permit ip extended host 192.168.0.2 object-group DM_INLINE_NETWORK_1
access-list ACL permit ip extended host 192.168.0.2 object-group DM_INLINE_NETWORK_2

You may follow the same logic to do via REST API.

Yes, now I try to create duplicate ACE using CLI and get following message:

"WARNING: <anyconnect_test_api_acl> found duplicate element"

So, using CLI I also cannot create copy of existing ACE in the same ACL.

Now I try to explain why it so important for me.

I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.

Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.

 

So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.

We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I  try to use "PATCH" method for changing ACE position, I'm getting the following error:

 

string(155) "{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"

 

Why Cisco imposed such restriction on API?

And is there any workaround?

P.S. Why this message was marked as spam? I wrote about things that I want to understand.  And I am not writing a lie.

Yes, now I try to create duplicate ACE using CLI and get following message:

"WARNING: <anyconnect_test_api_acl> found duplicate element"

So, using CLI I also cannot create copy of existing ACE in the same ACL.

Now I try to explain why it so important for me.

I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.

Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.


So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.

We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I try to use "PATCH" method for changing ACE position, I'm getting the following error:


"{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"


Why Cisco imposed such restriction on API?

And is there any workaround?

P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.

Here is example of existing ACE JSON structure:

{

"kind":"object#ExtendedACE",

"selfLink":"https://x.x.x.x/api/access/in/TP/rules/556116732",

"permit":true,

"sourceAddress":{

    "kind":"objectRef#NetworkObj",

    "refLink":"https://x.x.x.x/api/objects/networkobjects/MA_TP",

    "objectId":"MA_TP"

},

"destinationAddress":{

    "kind":"objectRef#NetworkObjGroup",

    "refLink":"https://x.x.x.x/api/objects/networkobjectgroups/ma-vnc",

    "objectId":"ma-vnc"

},

"sourceService":{

    "kind":"NetworkProtocol",

    "value":"ip"

},

"destinationService":{

    "kind":"objectRef#TcpUdpServiceObj",

    "refLink":"https://x.x.x.x/api/objects/networkservices/tcp-1024-65535",

    "objectId":"tcp-1024-65535"

},

"active":true,

"remarks":[],

"ruleLogging":{

    "logStatus":"Default",

    "logInterval":300

},

"position":2,

"isAccessRule":true,

"objectId":"556116732"

}

Now I'm trying to PATCH this ACE to renumber it. And here I get this:

Error when PATCHError when PATCH

@ngkin2010 Can you reproduce this?

I am trying to reproduce your error with the following ACE (in command line format).

 

cli.PNG

and I try to check on the GET result to see whether is look similar to yours.

before.PNG

  

It look similar! so I go ahead to reproduce your issue:

 

error.PNG

 

I got your issue now. That's look like is the BUG. Because if you are using "enhanced object groups" (wrapping services into object-group), the sourceService will be set to "ip" while the destination is objectRef#TcpUdpServiceObj. The mismatching protocol caused the error message.

 

So, if your object-group (E.g. tcp-1024-65535) contains only TCP service, you could use the following method as a workaround. You also specify the protocol value at the first time.

 

after.PNG

 

Then it will work.

 

after2.PNG

 

If your object contains multiple protocols (E.g. UDP + TCP), you can still set the PATCH like below even through it contains both TCP/UDP.

 

{
"position": 2,
"sourceService": {
"value": "tcp"
}
}

 

 

You are recommended to open a TAC case to report this bug for a fix.

Yes, you absolutely right.

A must also note the following:

1) If  I create such ACE (as in my example) using ASDM, then ACE is created with "IP" as SourceService.

2) But if I create the same ACE using API, then ACE is created with "TCP" as SourceService

=)

So, you can face with this BUG only if you created you ACE ins ASDM or CLI, and after that you trying to PATCH it using API.

If you have created ACE using API all will be ok, because using API ASA modify sourceService accordinly.

Denis Orlov
Level 1
Level 1

Yes, now I try to create duplicate ACE using CLI and get following message:

"WARNING: <anyconnect_test_api_acl> found duplicate element"

So, using CLI I also cannot create copy of existing ACE in the same ACL.

Now I try to explain why it so important for me.

I develop Web-application for our security-team to alllow our security guys manage ACLs without deep knowledge of how doing this in ASA CLI.

Security team ask me to develop feature, that allow them to reorder ACEs in ACL using web interface.


So, in Cisco ASA REST-API documentation there is "PATCH" method for "/api/objects/extendedacls/{aclName}/aces", and documentation exaples says, that I can modify "position" of existing ACE in ACL.

We start to use this method for ACE reordering, but faced with following problem: if ACE has different source and destination service defined (here I must to note that when I create ACE, I allways define destination service only), when I try to use "PATCH" method for changing ACE position, I'm getting the following error:


string(155) "{"messages":[{"level":"Error","code":"ACCESS-SRC-DST-SERVICE-SAME-TYPE","details":"Destination Service and Source Service should have the same protocol"}]}"


Why Cisco imposed such restriction on API?

And is there any workaround?

P.S. Why this message was marked as spam? I wrote about things that I want to understand. And I am not writing a lie.

Would you mind to post your JSON POST Data? E.g. What JSON did you POST to REST API for moving the position of ACE?

 

 

 

before.PNG

 

 

a.PNG

after.PNG

 

I have did a quick lab, and it works well for me. using PATCH request to swap the position as show in the figure.