02-27-2020 12:00 PM
I'm attempting to use the ASA REST API to programmatically configure a few hundred firewalls that already have ACL's configured on them. The ACL's are similar to the following:
access-list IN extended permit tcp any gt 1023 object-group internal eq ssh access-list IN extended permit tcp any gt 1023 object-group internal object-group cpanel access-list IN extended permit icmp any any time-exceeded access-list IN extended permit ip object-group full-access object-group internal access-list IN extended permit object-group tcp-udp any object-group internal eq domain access-list IN extended permit tcp any gt 1023 object-group internal object-group web access-list IN extended permit tcp any gt 1023 object-group internal object-group ftp
The problem is modifying or adding an ACE that's similar to the aforementioned list using the REST API:
POST to "{"url":"/api/objects/extendedacls/IN/aces"}" { "permit": true, "sourceAddress": { "kind": "AnyIPAddress", "value": "any" }, "destinationAddress": { "kind": "objectRef#NetworkObjGroup", "objectId": "internal" }, "sourceService": { "kind": "TcpUdpService", "value": ">tcp/1023" }, "destinationService": { "kind": "objectRef#TcpServiceGroup", "objectId": "ftp" }, "active": true, "position": 8 }
This returns:
{ "messages": [ { "level": "Error", "code": "ACCESS-SRC-DST-SAME-IP-VER", "details": "Source and Destination addresses should be of the same IP version." } ] }
If I change 'objectRef#NetworkObjGroup' to 'object#NetworkObjGroup' to match what I return when I lookup network object groups via the API:
{ "kind": "object#NetworkObjGroup", "name": "internal", "description": "", "objectId": "internal" }
I get this error:
{ "messages": [ { "level": "Error", "code": "JSON-MAPPING-ERROR", "context": "destinationAddress", "details": "object#NetworkObjGroup- object 'internal' not found" } ] }
Any help would be greatly appreciated.
04-16-2020 09:44 PM
04-29-2020 03:13 PM
Could this error be because you used "any", which means ipv4 or ipv6, rather than "any4" ?
"Source and Destination addresses should be of the same IP version."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: