on 06-17-2020 08:05 AM
We suppose that you already have a linux workstation with an Ansible client installed on it. If not, you can follow this tutorial .
Ansible sends commands over SSH as if it emulates a terminal / CLI. You don't need to activate Rest API, ASDM or to connect your firewall to the FMC to manage it with Ansible.
The configuration of the ASA is as follows :
# show version
Cisco Adaptive Security Appliance Software Version 9.9(2)
# show module sfr details
Getting details from the Service Module, please wait...
...
Card Type: FirePOWER Services Software Module
Model: ASA5506
...
Software version: 6.2.3-83
As the ASA 5506 is end of sales, there are many restrictions :
We could migrate to FTD (6.2.3.15 or below) but we lose anyconnect licenses which are included in the classical ASA and we won't have access to prefilter policy because they require FTD 6.3 or over.
In our configuration, we will only manage the core ASA with Ansible and not the SFR module. To manage the SFR module, we have to either connect it to a FMC or to manage it manually using ASDM. At the moment, we do the later...
When managing devices with Ansible, we systematically use SSH key authentication rather than Login/Password. It's bit safer but, above all, it's simpler to configure.
Our terminal is running on an ubuntu distribution. We generate a key pair for the ASA on a bash shell terminal :
user@ubuntu:~/.ssh$ ssh-keygen -t rsa -b 2048 -C admin@asa5506
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): adminasa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in adminasa.
Your public key has been saved in adminasa.pub.
We suspect that the key file name must not contain underscore "_" character.
We create the username and register the public key on the ASA5506 :
asa(config)# username adminasa password ADMINASA privilege 15
asa(config)# username adminasa attributes
asa(config-username)# ssh authentication publickey FDDDTRF54FDQZERE...
Ansible won't work if the user is not automatically enabled when it connects to the firewall. So, we auto-enable:
adelasa(config)# aaa authorization exec LOCAL auto-enable
In this example, we manage our Ansible entities using a basic hosts inventory text file. We add the following line in the file :
asa_hostname ansible_network_os=asa ansible_ssh_user=adminasa ansible_private_key_file=/home/user/.ssh/adminasa
<asa_hostname> is the name of the host (DNS, IP...).
On our Linux workstation, we create an ansible file for your ASA (asaconfig.yml) and put the following lines into it :
---
- name: configure asa5506
hosts: ASA_HOSTNAME
connection: network_cli
gather_facts: no
become: yes
become_method: enable
tasks:
- name: "Show the ASA version"
asa_command:
commands:
- show version
...
We run this file against our ASA :
$ ansible-playbook -i hosts asaconfig.yml
PLAY [configure ASA_HOSTNAME] **********************************************************************************************
TASK [Show the ASA version] *******************************************************************************************
ok: [ASA_HOSTNAME]
PLAY RECAP ************************************************************************************************************
ASA_HOSTNAME : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
There are four Ansible modules to configure ASA :
- asa_command lets you run any command on an ASA
- asa_config lets you write into the asa_config file
- asa_og lets you define objects in your ASA configuration
- asa_acl lets you define ACL
We can configure the ASA OS this way. But we can't configure the SFR module. To configure the SFR module this way, we have to register the ASA to a FMC and manage the FMC using Ansible. Another solution consists in migrating to FTD to use Ansible FTD modules. Configuring FTD requires that you migrate your ASA to FTD and that you activate FTD Rest API. We provide a migration guide here.
Thanks very much for the article. I have tried for several hours to get an ASA to enter enable mode and the error returned is simply "msg": "MODULE FAILURE". As you note, Ansible works fine when you have the "aaa authorization . . . " command enabled.
However, local security is not happy with that command. Oh well. Have you contacted anyone at Ansible / Red Hat who has confirmed that this is the only way to configure an ASA? Are we both missing something?
Also, why do you have the "become" and "become_method" Ansible commands in your playbook? They don't seem to have any affect.
Thanks again for the post, I've scoured the internet trying to find out why I couldn't get the ASA to enter enable mode.
Steve
@SteveJennings8788thank you for your comment. You raise a good point. become and become_method doesn't make sense in an ASA context. They probably don't do anything.
Looking at the source code of ansible https://github.com/ansible/ansible/tree/devel/lib/ansible/plugins/become I have the feeling that there are default become methods and that you can overwrite them with custom ones. In the runas file, you can see that it redirects you to winrm connection plugin for instance. A solution to the problem could be to develop the enable, drawing on the existing methods, runas and sudo.
Setting auto_enable = true weakens local security as you mention. I don't really know how bad it is. We may ask a cisco security specialist if it's reasonable or not.
Hello,
Have you done a playbook (outside of Roles) that configured a Object NAT or Manual NAT?
Hi
When you create your vars: file for your group of firewalls, you need to have the following to bypass the enable password:
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.asa.asa
ansible_user: <priv-15-username>
ansible_password: <priv-15-password>
ansible_authorize: yes
ansible_auth_pass: <enable-password>
Hope this helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: