Solved: Re: curl no longer working against asa 9.6.4(36)

babiojd01 · ‎01-03-2020

I upgraded some ASA firewalls to 9.6.4(34) and (36) and I can no longer execute commands on them to retrieve info via curl. I tried adding a user agent string but that does not help. What has changed in the OS? I receive a 400 error.

balaji.bandi · ‎01-03-2020

400 is bad request, what you trying to achieve here ?

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. Many specialty clients (for example, python libraries, curl, and wget) do not support Cross-site request forgery (CSRF) token-based authentication, so you need to specifically allow these clients to use the ASA basic authentication method. For security purposes, you should only allow required clients.

New/Modified commands: http server basic-auth-client

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎01-03-2020

400 is bad request, what you trying to achieve here ?

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. Many specialty clients (for example, python libraries, curl, and wget) do not support Cross-site request forgery (CSRF) token-based authentication, so you need to specifically allow these clients to use the ASA basic authentication method. For security purposes, you should only allow required clients.

New/Modified commands: http server basic-auth-client

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

babiojd01 · ‎01-03-2020

Ive tried

curl.exe -s -k "https://user:password@1.1.1.1/exec/show+ver"

curl.exe -u username:password -s -k "https://user:password@1.1.1.1/exec/show+ver"

curl.exe -s -k "https://user:password@1.1.1.1/admin/exec/show+ver"

curl.exe -u username:password -s -k "https://1.1.1.1/admin/exec/show+ver"

curl.exe -u username:password -A user-agent -s -k "https://1.1.1.1/admin/exec/show+ver"

The first command in the list used to work up until 9.6.3 so what changed and why can't i retrieve the info anymore?

balaji.bandi · ‎01-03-2020

have you enabled the option i have pointed out earlier, since you mentioned you upgrade, may be (not necessary) disabled.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mailerdalene52268 · ‎01-03-2020

Such a great help for those of us who struggle.Thank you.

Gang Ma · ‎01-12-2023

Per Cisco Secure Firewall ASA HTTP Interface for Automation

https://www.cisco.com/c/en/us/td/docs/security/asa/misc/http-interface/asa-http-interface.pdf

As a fix https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-csrf
security advisory, the ASA only accepts Basic HTTP authentication from clients with specific User-Agent
headers. The default list of allowed user strings can be seen by executing show running-config all http
command:
http server basic-auth-client ASDM
http server basic-auth-client CSM
http server basic-auth-client REST API Agent
The examples in this document will set the User-Agent to ASDM and will use Basic authentication. To allow
a different User-Agent string, you can add it using the http server basic-auth-client command.

Example
$ curl -k -A ASDM https://api:api@172.31.1.5/admin/config
!
ASA Version 9.12(2)9
!
hostname asa1
domain-name vik.local
enable password *** pbkdf2
passwd ** encrypted
multicast-routing
names
name 192.168.1.55 asa1.vblan.com