In part I of "Script an ASDM Session", we looked at how to MiTM an ASDM session in order to understand how to leverage the ASDM web interface for our own automation needs. In this article, I will disect a small python app that I wrote demonstrating how to script against the ASDM interface.
Disclaimer: Look, I'm a hacker. I hack away at code to get what I need done. My code isn't necessarily pretty, but I try and follow PEP8 style guide standards.
In the repo, you will find a sample asdm library. I wrote this to be simplistic and readable. One would likely want to make this a little fancier, but for educational purposes, I intentionally made it simple.
Some things to note
This article assumes a basic knowledge of python. While it's python centric, the strategies used here could be employed in any programming language with HTTP/HTTPS capabilities.
In part I of "Script an ASDM Session", we saw that by using a MiTM packet capture, we could extract the payload of virtually any command issued by asdm session. Armed with that knowledge, we can reconstruct asdm calls in our our code.
So, a simple example consuming this method might look like this:
asdm_username = 'cisco' # Set your credentials
asdm_password = 'sanfran' # Set your credentials
asa_ip = '172.16.127.127' # The IP address the asdm interface is listening on
asdm_port = 8443 # The port the asdm interface is listening on
asdm = ASDM() # Create an instance of the ASDM class
asdm.set_credentials(asdm_username, asdm_password) # Set your ASDM credentials
asdm.set_asdm_endpoint(asa_ip, asdm_port) # Set management IP and port the ASDM service is listening on
asdm.set_headers() # Set the auth and content headers
asdm.set_ssl_insecure() # turn off ssl certificate validation (testing only!)
asdm.set_ptrace_data('126.96.36.199', '188.8.131.52', 22) # testing an ssh attempt from the Internet to the host
asdm.asdm_call() # exectue the packet-tracer
print ("From 184.108.40.206 to tcp port 22 result = " . asdm.action)
So, hopefully, this blog post and the github code has left the reader with enough breadcrumbs to begin constructing their own asdm interface calls. The next logical steps would be to interface this with something like Ansible and/or constructing your own api that would provide simple rest interfaces to the asdm "xml-ish" interface.
GreetingsI've been playing around with FDM and an FTD 7.0.1 and I'm having trouble understanding how to reach a NATed host from the inside network. It's a pretty basic setup with 192.168.1.0/24 as my inside network and 10.10.10.0/24 as an DMZ with some ho...
Hello everyone, We faced this issue more than year ago. Software version is ASA 9.12.4 or 9.6.4. We had few cases in Cisco (like 692054705) and in our local support partner. But it looks like nobody have real willing to do anything with this bug.&nbs...
disclosure: I don't think so; the default inflation of 3 may or may not be valid, but it doesn't actually represent what happens on the system. Maybe it's good for internal marketing? So I see this post is more of a recommendation than a quest...
All, I have 1 client (entire organization) that when computers resume for hibernate, Secure Endpoint will start scanning. Anyone seen this behavior before? When a laptop goes into hibernate mode and then enters resume, SE will scan. We have several o...
Hi Everyone, Does anyone know if we can configure Cisco ASA Remote Access VPN using ISE as a Radius server with Yubikey as a two factor authentication? I read that there might be a password limitation of 32 characters and the Yubikey uses 132 c...