cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3814
Views
0
Helpful
5
Replies

curl no longer working against asa 9.6.4(36)

babiojd01
Level 1
Level 1

I upgraded some ASA firewalls to 9.6.4(34) and (36) and I can no longer execute commands on them to retrieve info via curl. I tried adding a user agent string but that does not help. What has changed in the OS? I receive a 400 error.

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

400 is bad request, what you trying to achieve here ?

 

 

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. Many specialty clients (for example, python libraries, curl, and wget) do not support Cross-site request forgery (CSRF) token-based authentication, so you need to specifically allow these clients to use the ASA basic authentication method. For security purposes, you should only allow required clients.

New/Modified commands: http server basic-auth-client

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

400 is bad request, what you trying to achieve here ?

 

 

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. Many specialty clients (for example, python libraries, curl, and wget) do not support Cross-site request forgery (CSRF) token-based authentication, so you need to specifically allow these clients to use the ASA basic authentication method. For security purposes, you should only allow required clients.

New/Modified commands: http server basic-auth-client

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ive tried

curl.exe -s -k "https://user:password@1.1.1.1/exec/show+ver"

curl.exe -u username:password -s -k "https://user:password@1.1.1.1/exec/show+ver"

curl.exe -s -k "https://user:password@1.1.1.1/admin/exec/show+ver"

curl.exe -u username:password -s -k "https://1.1.1.1/admin/exec/show+ver"

curl.exe -u username:password -A user-agent -s -k "https://1.1.1.1/admin/exec/show+ver"

 

The first command in the list used to work up until 9.6.3 so what changed and why can't i retrieve the info anymore?

have you enabled the option i have pointed out earlier, since you mentioned you upgrade, may be (not necessary) disabled.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Such a great help for those of us who struggle.Thank you.

Gang Ma
Level 1
Level 1

Per Cisco Secure Firewall ASA HTTP Interface for Automation

https://www.cisco.com/c/en/us/td/docs/security/asa/misc/http-interface/asa-http-interface.pdf

As a fix https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-csrf
security advisory, the ASA only accepts Basic HTTP authentication from clients with specific User-Agent
headers. The default list of allowed user strings can be seen by executing show running-config all http
command:
http server basic-auth-client ASDM
http server basic-auth-client CSM
http server basic-auth-client REST API Agent
The examples in this document will set the User-Agent to ASDM and will use Basic authentication. To allow
a different User-Agent string, you can add it using the http server basic-auth-client command.

 

Example
$ curl -k -A ASDM https://api:api@172.31.1.5/admin/config
!
ASA Version 9.12(2)9
!
hostname asa1
domain-name vik.local
enable password *** pbkdf2
passwd ** encrypted
multicast-routing
names
name 192.168.1.55 asa1.vblan.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: