Ansible ASA Command Module
Today will be a touch shorter post, but it is good to be back at it. In this post I will be taking a quick look around at the asa_command module, as we start down the path with looking at the ASA modules in Ansible. This is spurned on a little bit by Ansible 2.8 coming out with an Object Group specific module. I will be looking into that further in a future post.
For the set of posts regarding the ASA, we will be starting with a pretty bare configuration on the device. We will have just a management IP address and the ability to SSH to the device.
Module Documentation#
Module documentation page can be found here.
Lab Configuration#
The device has bare basic configuration on it. Here we see that it has just a management IP address on it.
fw01# show int ip brie
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down up
GigabitEthernet0/1 unassigned YES unset administratively down up
GigabitEthernet0/2 unassigned YES unset administratively down up
Management0/0 172.16.0.254 YES CONFIG up up
Using the playbook#
Parameters#
There are a couple of key parameters on this module for getting started are:
- commands: A list of commands to send to the device; this can be one, or several commands within a list
- context: used for firewalls in multi-context mode, which context do you want to run the command(s) in
Simple first Playbook#
This is a simple playbook that will issue two commands. We will access both of
them in different tasks within the play. Taking a look at the play we are
executing the task with two commands, a show int ip brie and a ping to Google
DNS.
Playbook#
---
# yamllint disable rule:truthy
# yamllint disable rule:line-length
- name: ASA Command Output
connection: network_cli
hosts: asa_firewalls
gather_facts: no
become: yes
become_method: enable
tasks:
- name: "TASK 1: Read output from ASA"
asa_command:
commands:
- show int ip brief
- ping 8.8.8.8
register: output
- name: "TASK 2: Print output of show interfaces"
debug:
msg: "{{ output.stdout_lines.0 }}"
- name: "TASK 3: Print output of pinging Google DNS"
debug:
msg: "{{ output.stdout_lines.1 }}"
Tasks High Level#
TASK 1 is when Ansible logs into the device and issues the two commands.
TASK 2 we get the expected output of the show int ip brie and the commands
TASK 3 we see that the device is able to successfully ping Google DNS
These are the tasks that are to be run via the playbook broken out:
cat asa_command_demo.yml | grep TASK
- name: "TASK 1: Read output from ASA"
- name: "TASK 2: Print output of show interfaces"
- name: "TASK 3: Print output of pinging Google DNS"
Playbook Run#
Execution of the playbook:
To see a video of this on Youtube - https://youtu.be/Wk-3Zg08oSw
PLAY [ASA Command Output] *********************************************************************
TASK [TASK 1: Read output from ASA] ***********************************************************
ok: [asa1]
TASK [TASK 2: Print output of show interfaces] ************************************************
ok: [asa1] => {
"msg": [
"Interface IP-Address OK? Method Status Protocol",
"GigabitEthernet0/0 unassigned YES unset administratively down up ",
"GigabitEthernet0/1 unassigned YES unset administratively down up ",
"GigabitEthernet0/2 unassigned YES unset administratively down up ",
"Management0/0 172.16.0.254 YES CONFIG up up"
]
}
TASK [TASK 3: Print output of pinging Google DNS] *********************************************
ok: [asa1] => {
"msg": [
"Type escape sequence to abort.",
"Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:",
"!!!!!",
"Success rate is 100 percent (5/5), round-trip min/avg/max = 20/104/190 ms"
]
}
PLAY RECAP ************************************************************************************
asa1 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Access Multiple Commands#
This is another example of how to issue multiple commands against a device within a single task. For a deeper dive on that you can see an earlier post here.
Summary#
This is a solid starting out module for working with ASA firewalls. It does come in very handy with dealing and gathering information from the ASA firewall platform. I have used this for several things within a production environment, primarily for data gathering. Hopefully coming up I will be able to expand on this further in building out an ASA firewall.
Hope this was helpful!
Share on Share on Share on Share on Share on