Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cisco.asa.asa.acls] Error on ACL with object-group(service), object-group(network) and any #187

Open
ITZAbacq opened this issue Nov 10, 2022 · 8 comments
Open

[cisco.asa.asa.acls] Error on ACL with object-group(service), object-group(network) and any #187

ITZAbacq opened this issue Nov 10, 2022 · 8 comments
Assignees
@justjais

Comments

@ITZAbacq
Copy link

ITZAbacq commented Nov 10, 2022
edited
Loading

Hello, I'm new to these modules and I'd like to use the ACL Module to deploy some Rules on 4 Asa Firewalls.
I have some rules which are designed and stored this way:
access-list OUTSIDE extended permit object-group SomeObjectGroupService object-group SomeObjectGroupNetwork any

These rules are getting an error:

fatal: [x.x.x.x]: FAILED! => {
    "changed": false,
    "module_stderr": "access-list OUTSIDE line 33 exten$ 33 extend                         d permit object-group SomeObjectGroupService ob                         ect-group SomeObjectGroupNetwork                         access-list OUTSIDE line 33 exte$\r\n\r\n access-list OUTSIDE line 33 extended permit object-group SomeObjectGroupService object-group SomeObjectGroupNetwork \r\nERROR: % Incomplete command\r\n\rSomeHostName/actNoFailover/sec(config)# ",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

Also the module isn't supporting objects, which is very unfortunate, but I can work arount that.

Ansible Info

ansible [core 2.12.2]
  config file = /root/ansible.cfg
  configured module search path = ['/root/.ansible/collections/ansible_collections']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.12 (default, Sep 16 2021, 10:46:05) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True

Collection Info

Collection Version
---------- -------
cisco.asa  3.1.0

OS

  Operating System: Red Hat Enterprise Linux 8.6 (Ootpa)
            Kernel: Linux 4.18.0-372.9.1.el8.x86_64

The Ansible Config is stock.

The asa is running
ASA Version 9.12(4)38

What am I exactly doing?

- name: Konfiguration aus Gitlab parsen
  cisco.asa.asa_acls:
    running_config: "{{ lookup('file', working_dir + '/group_vars/access-lists-unparsed.cfg') }}"
    state: parsed
  register: parsed

- name: Access-Lists überschreiben
  cisco.asa.asa_acls:
    config: "{{ parsed.parsed }}"
    state: overridden

This leads to the error.

I guess the parsed 'module' doesn't recognize the first object-group properly as an object-group(service), so it takes it as the source, which is actually wrong.

So the output of the parsed is

{
                        "destination": {
                            "object_group": "SomeObjectGroupNetwork"
                        },
                        "grant": "permit",
                        "source": {
                            "object_group": "SomeObjectGroupService"
                        }
                    }

Or am I doing anything wrong?
Thank you very much.
@justjais
Copy link
Member

@ITZAbacq thanks for raising the issue, I'll triage the issue from my end and update you more on this asap!

@justjais justjais self-assigned this Nov 14, 2022
@Starican
Copy link

Hello!
I want to use this ACl too, but not working..
ACL - access-list OUTSIDE extended permit object-group SomeObjectGroupService object-group ObjectGroupNetworkSource object-group ObjectGroupNetworkDestination

Cisco ASAv version: Cisco Adaptive Security Appliance Software Version 9.16(4)19

OS - CentOS Stream release 8

ansible [core 2.12.7]
config file = /home/andrey/ansible/ansible.cfg
configured module search path = ['/home/andrey/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
ansible collection location = /home/andrey/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.13 (default, Jun 24 2022, 15:27:57) [GCC 8.5.0 20210514 (Red Hat 8.5.0-13)]
jinja version = 3.1.2
libyaml = True

ansible-galaxy collection list | grep asa
cisco.asa 4.0.1

error:
fatal: [ASAv]: FAILED! => {
"changed": false,
"module_stderr": "up $\r\n\r\naccess-list ACL-NAME extended permit object-group ObjectGroupNetworkSource object-group ObjectGroupNetworkDestination\r\n\r\nERROR: % Invalid input detected at '^' marker.\r\n\rASAv(config)# ",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"

config:

      - name: SomeObjectGroupService
        services_object:
          - protocol: tcp-udp
            destination_port:
              eq: 53
  • name: "add access-list inside"
    cisco.asa.asa_acls:
    config:
    acls:
    - name: ACL-INSIDE
    acl_type: extended
    aces:
    - line: 2
    remark: Access to AD SRVs
    - grant: permit
    destination:
    service_object_group: SomeObjectGroupService
    object_group: ObjectGroupNetworkDestination
    source:
    object_group: ObjectGroupNetworkSource

Thanks!

@ITZAbacq
Copy link
Author

@Starican
To be honest, I moved on from the modules to using only http-api with yaml and jinja2.

@Starican
Copy link

@ITZAbacq
There I can read about it? Need examples :) Do You use cisco asa rest-api, correct?

Thanks!

@ITZAbacq
Copy link
Author

No, I'm using http-api. Rest-API is not available for asav.
https://www.cisco.com/c/en/us/td/docs/security/asa/misc/http-interface/asa-http-interface.html
That's all you need to know about.
Basically it's CLI via https. Easy-mode.

@Starican
Copy link

@ITZAbacq
ASAv have rest-api. I test it.

Thanks for URL. Reading...
test.asa# sh run rest-api
!
rest-api image flash:/asa-restapi-7161-lfbff-k8.SPA
rest-api agent

test.asa#sh ver

Cisco Adaptive Security Appliance Software Version 9.16(4)19
SSP Operating System Version 2.10(1.253)
Device Manager Version 7.18(1)152
REST API Agent Version 7.16.1.75

Compiled on Wed 19-Apr-23 19:27 GMT by builders
System image file is "disk0:/asa9-16-4-19-smp-k8.bin"
Config file at boot was "startup-config"

test.asa up 63 days 19 hours

Hardware: ASAv, 4096 MB RAM, CPU Clarkdale 3399 MHz,
Internal ATA Compact Flash, 1024MB

@ITZAbacq
Copy link
Author

Yeah but it's not officially supported for my devices. I could install it but I don't want to, as the http-api is far more easy. No need of an agent, so easier updates and it's just CLI-commands, which makes it for me far easier than rest.

@Starican
Copy link

Hi!
I have good news :)
I have acl line - access-list OUTSIDE extended permit object-group OGService object-group OGNetworkSource object-group OGNetworkDestination

Then I parse this line with ansible I got this (It's not correct - I understood it):

{
"destination": {
"object_group": "OGNetworkSource",
"service_object_group": "OGNetworkDestination"
},
"grant": "permit",
"source": {
"netmask": "OGervice",
"object_group": "OGService"
}
},

and I changed config in ansible playbook (It's didn't logical correct, BUT it's working!!! I get ACL on devices without errors) -

        - grant: permit
          line: 1
          destination:
            service_object_group: OGNetworkDestination
            object_group: OGNetworkSource
          source:
            object_group: OGService

@rulev rulev mentioned this issue Jun 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justjais justjais

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justjais @Starican @ITZAbacq