In part I of "Script an ASDM Session", we looked at how to MiTM an ASDM session in order to understand how to leverage the ASDM web interface for our own automation needs. In this article, I will disect a small python app that I wrote demonstrating how to script against the ASDM interface.
Disclaimer: Look, I'm a hacker. I hack away at code to get what I need done. My code isn't necessarily pretty, but I try and follow PEP8 style guide standards.
In the repo, you will find a sample asdm library. I wrote this to be simplistic and readable. One would likely want to make this a little fancier, but for educational purposes, I intentionally made it simple.
Some things to note
This article assumes a basic knowledge of python. While it's python centric, the strategies used here could be employed in any programming language with HTTP/HTTPS capabilities.
In part I of "Script an ASDM Session", we saw that by using a MiTM packet capture, we could extract the payload of virtually any command issued by asdm session. Armed with that knowledge, we can reconstruct asdm calls in our our code.
So, a simple example consuming this method might look like this:
asdm_username = 'cisco' # Set your credentials
asdm_password = 'sanfran' # Set your credentials
asa_ip = '172.16.127.127' # The IP address the asdm interface is listening on
asdm_port = 8443 # The port the asdm interface is listening on
asdm = ASDM() # Create an instance of the ASDM class
asdm.set_credentials(asdm_username, asdm_password) # Set your ASDM credentials
asdm.set_asdm_endpoint(asa_ip, asdm_port) # Set management IP and port the ASDM service is listening on
asdm.set_headers() # Set the auth and content headers
asdm.set_ssl_insecure() # turn off ssl certificate validation (testing only!)
asdm.set_ptrace_data('126.96.36.199', '188.8.131.52', 22) # testing an ssh attempt from the Internet to the host
asdm.asdm_call() # exectue the packet-tracer
print ("From 184.108.40.206 to tcp port 22 result = " . asdm.action)
So, hopefully, this blog post and the github code has left the reader with enough breadcrumbs to begin constructing their own asdm interface calls. The next logical steps would be to interface this with something like Ansible and/or constructing your own api that would provide simple rest interfaces to the asdm "xml-ish" interface.
Can anyone offer any guidance on a rule of thumb for how many ISE base/plus licenses would be typical for a school district that is interested in ISE for wired/wireless NAC including profiling? I'm thinking that there might be a rule of thumb based on stu...
Good day all, Currently we have deployed Cisco FMC 1600 with FTD 1020 and 2100 in HA respectively. We are running version 220.127.116.11. The FMC has been configured to sync time via NTP and is showing the correct time. The FTDs h...
I am having the issue with following below configuration and getting error. Please help me solve the issue. object-group network LERAPID7_Consolenetwork-object host 192.168.2.80object-group network LMRAPID7_Consolenetwork-object host 192.168.2.81obje...