Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8697
Views
15
Helpful
4
Comments

How to manage an ASA 5506 with Ansible

mikael.dautrey
Spotlight
Spotlight

on ‎06-17-2020 08:05 AM

How to manage an ASA 5506 with Ansible

Ansible client

We suppose that you already have a linux workstation with an Ansible client installed on it. If not, you can follow this tutorial .

ASA version

Ansible sends commands over SSH as if it emulates a terminal / CLI. You don't need to activate Rest API, ASDM or to connect your firewall to the FMC to manage it with Ansible.

 

The configuration of the ASA is as follows :

 

# show version
Cisco Adaptive Security Appliance Software Version 9.9(2)
# show module sfr details 
Getting details from the Service Module, please wait...
...
Card Type: FirePOWER Services Software Module
Model: ASA5506
...
Software version: 6.2.3-83

 

As the ASA 5506 is end of sales, there are many restrictions :

  • The Rest API is not compatible with firepower service on ASA 5506 (more here)
  • ASA OS version 9.13+ is not compatible with firepower service on ASA 5506 and the latest version of Firepower service module for ASA 5506 is 6.2.3 (more here)

We could migrate to FTD (6.2.3.15 or below) but we lose anyconnect licenses which are included in the classical ASA and we won't have access to prefilter policy because they require FTD 6.3 or over.

 

In our configuration, we will only manage the core ASA with Ansible and not the SFR module. To manage the SFR module, we have to either connect it to a FMC or to manage it manually using ASDM. At the moment, we do the later...

Authentication

When managing devices with Ansible, we systematically use SSH key authentication rather than Login/Password. It's bit safer but, above all, it's simpler to configure.

 

Our terminal is running on an ubuntu distribution. We generate a key pair for the ASA on a bash shell terminal :

 

user@ubuntu:~/.ssh$ ssh-keygen -t rsa -b 2048 -C admin@asa5506
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): adminasa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in adminasa.
Your public key has been saved in adminasa.pub.

 

We suspect that the key file name must not contain underscore "_" character.

 

We create the username and register the public key on the ASA5506 :

asa(config)# username adminasa password ADMINASA privilege 15
asa(config)# username adminasa attributes
asa(config-username)# ssh authentication publickey FDDDTRF54FDQZERE...

Ansible won't work if the user is not automatically enabled when it connects to the firewall. So, we auto-enable:

 

adelasa(config)# aaa authorization exec LOCAL auto-enable

Adding the ASA to our Ansible inventory file

In this example, we manage our Ansible entities using a basic hosts inventory text file. We add the following line in the file :

asa_hostname ansible_network_os=asa ansible_ssh_user=adminasa ansible_private_key_file=/home/user/.ssh/adminasa

<asa_hostname> is the name of the host (DNS, IP...).

 

Creating our first Ansible ASA configuration script

 

On our Linux workstation, we create an ansible file for your ASA (asaconfig.yml) and put the following lines into it :

  

---
- name: configure asa5506
  hosts: ASA_HOSTNAME
  connection: network_cli
  gather_facts: no
  become: yes
  become_method: enable
  tasks:
    - name: "Show the ASA version"
      asa_command:
        commands:
          - show version
...

 

We run this file against our ASA :

 $ ansible-playbook -i hosts asaconfig.yml
PLAY [configure ASA_HOSTNAME] **********************************************************************************************
TASK [Show the ASA version] *******************************************************************************************
ok: [ASA_HOSTNAME]
PLAY RECAP ************************************************************************************************************
ASA_HOSTNAME : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Ansible ASA modules

There are four Ansible modules to configure ASA :

- asa_command lets you run any command on an ASA

- asa_config lets you write into the asa_config file

- asa_og lets you define objects in your ASA configuration

- asa_acl lets you define ACL

Final thoughts

We can configure the ASA OS this way. But we can't configure the SFR module. To configure the SFR module this way, we have to register the ASA to a FMC and manage the FMC using Ansible. Another solution consists in migrating to FTD to use Ansible FTD modules. Configuring FTD requires that you migrate your ASA to FTD and that you activate  FTD Rest API. We provide a migration guide here.

Comments
SteveJennings8788
Level 1
Level 1
‎12-02-2020 02:11 PM

Thanks very much for the article. I have tried for several hours to get an ASA to enter enable mode and the error returned is simply "msg": "MODULE FAILURE". As you note, Ansible works fine when you have the "aaa authorization . . . " command enabled. 

 

However, local security is not happy with that command. Oh well. Have you contacted anyone at Ansible / Red Hat who has confirmed that this is the only way to configure an ASA? Are we both missing something?


Also, why do you have the "become" and "become_method" Ansible commands in your playbook? They don't seem to have any affect.

 

Thanks again for the post, I've scoured the internet trying to find out why I couldn't get the ASA to enter enable mode.

 

Steve

mikael.dautrey
Spotlight
Spotlight
‎12-02-2020 09:30 PM

@SteveJennings8788thank you for your comment. You raise a good point. become and become_method doesn't make sense in an ASA context. They probably don't do anything.

 

Looking at the source code of ansible https://github.com/ansible/ansible/tree/devel/lib/ansible/plugins/become I have the feeling that there are default become methods and that you can overwrite them with custom ones. In the runas file, you can see that it redirects you to winrm connection plugin for instance. A solution to the problem could be to develop the enable, drawing on the existing methods, runas and sudo.

 

Setting auto_enable = true weakens local security as you mention. I don't really know how bad it is. We may ask a cisco security specialist if it's reasonable or not.

 

JesseSmith8517
Level 1
Level 1
‎07-07-2021 02:46 PM

Hello,

Have you done a playbook (outside of Roles) that configured a Object NAT or Manual NAT?

SteveGillard
Level 1
Level 1
‎04-25-2023 07:00 AM

Hi

When you create your vars: file for your group of firewalls, you need to have the following to bypass the enable password:

 

ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.asa.asa
ansible_user: <priv-15-username>
ansible_password: <priv-15-password>
ansible_authorize: yes
ansible_auth_pass: <enable-password>

 

Hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents