Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
0
Helpful
2
Replies

ASA REST API ACE with Object Groups

ncappelletti
Level 1
Level 1

‎02-27-2020 12:00 PM

I'm attempting to use the ASA REST API to programmatically configure a few hundred firewalls that already have ACL's configured on them. The ACL's are similar to the following:

access-list IN extended permit tcp any gt 1023 object-group internal eq ssh
access-list IN extended permit tcp any gt 1023 object-group internal object-group cpanel
access-list IN extended permit icmp any any time-exceeded
access-list IN extended permit ip object-group full-access object-group internal
access-list IN extended permit object-group tcp-udp any object-group internal eq domain
access-list IN extended permit tcp any gt 1023 object-group internal object-group web
access-list IN extended permit tcp any gt 1023 object-group internal object-group ftp

The problem is modifying or adding an ACE that's similar to the aforementioned list using the REST API:

POST to "{"url":"/api/objects/extendedacls/IN/aces"}"
{
  "permit": true,
  "sourceAddress": {
    "kind": "AnyIPAddress",
    "value": "any"
  },
  "destinationAddress": {
    "kind": "objectRef#NetworkObjGroup",
    "objectId": "internal"
  },
  "sourceService": {
    "kind": "TcpUdpService",
    "value": ">tcp/1023"
  },
  "destinationService": {
    "kind": "objectRef#TcpServiceGroup",
    "objectId": "ftp"
  },
  "active": true,
  "position": 8
}

This returns:

{
  "messages": [
    {
      "level": "Error",
      "code": "ACCESS-SRC-DST-SAME-IP-VER",
      "details": "Source and Destination addresses should be of the same IP version."
    }
  ]
}

If I change 'objectRef#NetworkObjGroup' to 'object#NetworkObjGroup' to match what I return when I lookup network object groups via the API:

{
  "kind": "object#NetworkObjGroup",
  "name": "internal",
  "description": "",
  "objectId": "internal"
}

I get this error:

{
  "messages": [
    {
      "level": "Error",
      "code": "JSON-MAPPING-ERROR",
      "context": "destinationAddress",
      "details": "object#NetworkObjGroup- object 'internal' not found"
    }
  ]
}

Any help would be greatly appreciated.

0 Helpful
2 Replies 2

Manoj Papisetty
Cisco Employee
Cisco Employee

‎04-16-2020 09:44 PM

I dont have a setup ready right now, but can you quickly check what you see on the debugs when you push this config?
debug rest-api
Since the CLI command works, no reason why API doesnt. And if it doesnt, it has to be filed as a defect.
0 Helpful

grant.maynard
Level 4
Level 4

‎04-29-2020 03:13 PM

Could this error be because you used "any", which means ipv4 or ipv6, rather than "any4" ?

"Source and Destination addresses should be of the same IP version."

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents