Bug: ASA REST-API converts 'any' and 'any6' to 'any4' on POST

Bjoern Hansen · ‎01-22-2017

Hey,

I'm playing a lot with the ASA REST-API at the moment, and just noticed some strange behaviour I would consider a bug provided I did not miss anything.

My test system is an ASAv running on ESXi without a dedicated license.

I have a simple example rule, which looks as follows in ASA CLI notation and in JSON when pulled via REST from the ASA style:

access-list TEST line 24 extended deny ip any any

{
  "permit": false,
  "sourceAddress": {
    "kind": "AnyIPAddress",
    "value": "any6"
  },
  "destinationAddress": {
    "kind": "AnyIPAddress",
    "value": "any"
  },
  "sourceService": {
    "kind": "NetworkProtocol",
    "value": "ip"
  },
  "destinationService": {
    "kind": "NetworkProtocol",
    "value": "ip"
  },
  "active": true,
  "remarks": [],
  "ruleLogging": {
    "logStatus": "Default",
    "logInterval": 300
  }
},

(removed selfLink, objectID etc for shorter display)

I did then take exactly that JSON the ASA gave me and send it back via POST as a new rule of the same ACL.

I expected the ASA to reject the rule with HTTP 400 - DUPLICATE, as it usually does, but it takes the rule, because it converts the "any6" and "any" to "any4". The result looks like this:

access-list TEST line 25 extended deny ip any4 any4

{
  "permit": false,
  "sourceAddress": {
    "kind": "AnyIPAddress",
    "value": "any4"
  },
  "destinationAddress": {
    "kind": "AnyIPAddress",
    "value": "any4"
  },
  "sourceService": {
    "kind": "NetworkProtocol",
    "value": "ip"
  },
  "destinationService": {
    "kind": "NetworkProtocol",
    "value": "ip"
  },
  "active": true,
  "remarks": [],
  "ruleLogging": {
    "logStatus": "Default",
    "logInterval": 300
  }
}

Can anybody please advise on this?

Edit: Software versions used:

Cisco Adaptive Security Appliance Software Version 9.6(2)

Device Manager Version 7.6(2)

REST API Agent Version 1.3.2