cisco.asa.asa_acls – Access-Lists resource module
Note
This plugin is part of the cisco.asa collection (version 1.0.4).
To install it use: ansible-galaxy collection install cisco.asa.
To use it in a playbook, specify: cisco.asa.asa_acls.
New in version 1.0.0: of cisco.asa
Synopsis
- This module configures and manages the named or numbered ACLs on ASA platforms.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
dictionary
|
A dictionary of ACL options.
|
|||||||
| acls
list / elements=dictionary
|
A list of Access Control Lists (ACL).
|
|||||||
| aces
list / elements=dictionary
|
The entries within the ACL.
|
|||||||
| destination
dictionary
|
Specify the packet destination.
|
|||||||
| address
string
|
Host address to match, or any single host address.
|
|||||||
| any
boolean
|
|
Match any destination address.
|
||||||
| any4
boolean
|
|
Match any ipv4 destination address.
|
||||||
| any6
boolean
|
|
Match any ipv6 destination address.
|
||||||
| host
string
|
A single destination host
|
|||||||
| interface
string
|
Use interface address as destination address
|
|||||||
| netmask
string
|
Netmask for destination IP address, valid with IPV4 address.
|
|||||||
| object_group
string
|
Network object-group for destination address
|
|||||||
| port_protocol
dictionary
|
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Port range operator
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| grant
string
|
|
Specify the action.
|
||||||
| inactive
boolean
|
|
Keyword for disabling an ACL element.
|
||||||
| line
integer
|
Use this to specify line number at which ACE should be entered.
Existing ACE can be updated based on the input line number.
It's not a required param in case of configuring the acl, but in case of Delete operation it's required, else Delete operation won't work as expected.
Refer to vendor documentation for valid values.
|
|||||||
| log
string
|
|
Log matches against this entry.
|
||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
protocol type.
|
|||||||
| ahp
boolean
|
|
Authentication Header Protocol.
|
||||||
| eigrp
boolean
|
|
Cisco's EIGRP routing protocol.
|
||||||
| esp
boolean
|
|
Encapsulation Security Payload.
|
||||||
| gre
boolean
|
|
Cisco's GRE tunneling.
|
||||||
| icmp
dictionary
|
Internet Control Message Protocol.
|
|||||||
| alternate_address
boolean
|
|
Alternate address
|
||||||
| conversion_error
boolean
|
|
Datagram conversion
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| information_reply
boolean
|
|
Information replies
|
||||||
| information_request
boolean
|
|
Information requests
|
||||||
| mask_reply
boolean
|
|
Mask replies
|
||||||
| mask_request
boolean
|
|
mask_request
|
||||||
| mobile_redirect
boolean
|
|
Mobile host redirect
|
||||||
| parameter_problem
boolean
|
|
All parameter problems
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_quench
boolean
|
|
Source quenches
|
||||||
| source_route_failed
boolean
|
|
Source route
|
||||||
| time_exceeded
boolean
|
|
All time exceededs
|
||||||
| timestamp_reply
boolean
|
|
Timestamp replies
|
||||||
| timestamp_request
boolean
|
|
Timestamp requests
|
||||||
| traceroute
boolean
|
|
Traceroute
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| icmp6
dictionary
|
Internet Control Message Protocol.
|
|||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| membership_query
boolean
|
|
Membership query
|
||||||
| membership_reduction
boolean
|
|
Membership reduction
|
||||||
| membership_report
boolean
|
|
Membership report
|
||||||
| neighbor_advertisement
boolean
|
|
Neighbor advertisement
|
||||||
| neighbor_redirect
boolean
|
|
Neighbor redirect
|
||||||
| neighbor_solicitation
boolean
|
|
Neighbor_solicitation
|
||||||
| packet_too_big
boolean
|
|
Packet too big
|
||||||
| parameter_problem
boolean
|
|
Parameter problem
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_renumbering
boolean
|
|
Router renumbering
|
||||||
| router_solicitation
boolean
|
|
Router solicitation
|
||||||
| time_exceeded
boolean
|
|
Time exceeded
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| igmp
boolean
|
|
Internet Gateway Message Protocol.
|
||||||
| igrp
boolean
|
|
Internet Gateway Routing Protocol.
|
||||||
| ip
boolean
|
|
Any Internet Protocol.
|
||||||
| ipinip
boolean
|
|
IP in IP tunneling.
|
||||||
| ipsec
boolean
|
|
IP Security.
|
||||||
| nos
boolean
|
|
KA9Q NOS compatible IP over IP tunneling.
|
||||||
| ospf
boolean
|
|
OSPF routing protocol.
|
||||||
| pcp
boolean
|
|
Payload Compression Protocol.
|
||||||
| pim
boolean
|
|
Protocol Independent Multicast.
|
||||||
| pptp
boolean
|
|
Point-to-Point Tunneling Protocol.
|
||||||
| protocol_number
integer
|
An IP protocol number
|
|||||||
| sctp
boolean
|
|
Stream Control Transmission Protocol.
|
||||||
| snp
boolean
|
|
Simple Network Protocol.
|
||||||
| tcp
boolean
|
|
Match TCP packet flags
|
||||||
| udp
boolean
|
|
User Datagram Protocol.
|
||||||
| remark
string
|
Specify a comment (remark) for the access-list after this keyword
|
|||||||
| source
dictionary
|
Specify the packet source.
|
|||||||
| address
string
|
Source network address.
|
|||||||
| any
boolean
|
|
Match any source address.
|
||||||
| any4
boolean
|
|
Match any ipv4 source address.
|
||||||
| any6
boolean
|
|
Match any ipv6 source address.
|
||||||
| host
string
|
A single source host
|
|||||||
| interface
string
|
Use interface address as source address
|
|||||||
| netmask
string
|
Netmask for source IP address, valid with IPV4 address.
|
|||||||
| object_group
string
|
Network object-group for source address
|
|||||||
| port_protocol
dictionary
|
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Port range operator
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| time_range
string
|
Specify a time-range.
|
|||||||
| acl_type
string
|
|
ACL type
|
||||||
| name
string / required
|
The name or the number of the ACL.
|
|||||||
| rename
string
|
Rename an existing access-list.
If input to rename param is given, it'll take preference over other parameters and only rename config will be matched and computed against.
|
|||||||
| running_config
string
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison.
|
|||||||
| state
string
|
|
The state of the configuration after module completion
|
||||||
Notes
Note
- Tested against Cisco ASA Version 9.10(1)11
- This module works with connection
network_cli. See ASA Platform Options.
Examples
# Using merged
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Merge provided configuration with device configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- grant: deny
line: 3
protocol_options:
tcp: true
source:
interface: management
destination:
interface: management
port_protocol:
eq: www
log: warnings
- grant: deny
line: 4
protocol_options:
tcp: true
source:
object_group: test_og_network
destination:
object_group: test_network_og
port_protocol:
eq: www
log: default
- name: global_access
acl_type: extended
aces:
- line: 3
remark: test global access
- grant: deny
line: 4
protocol_options:
tcp: true
source:
any: true
destination:
any: true
port_protocol:
eq: www
log: errors
- name: R1_traffic
aces:
- line: 1
remark: test_v6_acls
- grant: deny
line: 2
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: merged
# Commands fired:
# ---------------
# access-list global_access line 3 remark test global access
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# access-list temp_access line 2 extended deny tcp interface management interface management
# eq www log warnings
# access-list test_access line 3 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default
# After state:
# ------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 remark test global access (hitcnt=0) 0xae78337e
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# access-list test_access line 3
# extended deny tcp interface management interface management eq www log warnings
# interval 300 (hitcnt=0) 0x78aa233d
# access-list test_access line 2 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default (hitcnt=0) 0x477aec1e
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.1 eq www
# log default (hitcnt=0) 0xdc7edff8
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.2 eq www
# log default (hitcnt=0) 0x7b0e9fde
# access-list test_access line 2 extended deny tcp 198.51.100.0 255.255.255.0 2001:db8:3::/64 eq www
# log default (hitcnt=0) 0x97c75adc
# Using Merged to Rename ACLs
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Rename ACL with different name using Merged state
cisco.asa.asa_acls:
config:
acls:
- name: global_access
rename: global_access_renamed
- name: R1_traffic
rename: R1_traffic_renamed
state: merged
# Commands fired:
# ---------------
# access-list global_access rename global_access_renamed
# access-list R1_traffic rename R1_traffic_renamed
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access_renamed; 2 elements; name hash: 0xbd6c87a7
# access-list global_access_renamed line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access_renamed line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic_renamed; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic_renamed line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# Using replaced
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Replaces device configuration of listed acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: replaced
# Commands fired:
# ---------------
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet
# 192.0.5.0 255.255.255.0 eq www (hitcnt=0) 0x3e5b2757
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# Using overridden
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Override device configuration of all acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: overridden
# Commands fired:
# ---------------
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 time-range temp
# no access-list temp_access line 1
# extended grant deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list R1_traffic line 2
# extended grant deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list R1_traffic line 1
# extended grant deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www log errors
# no access-list global_access line 3 extended grant deny tcp any any eq www log errors
# no access-list global_access line 2 extended grant deny tcp any any eq telnet
# no access-list global_access line 1 extended grant permit icmp any any log disable
# access-list global_access line 4 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# Using Deleted
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: "Delete module attributes of given acl (Note: This won't delete ALL of the ACLs configured)"
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
- name: global_access
state: deleted
# Commands fired:
# ---------------
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# After state:
# -------------
#
# vasa#sh access-lists
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured resource module attributes)"
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: 'Delete ALL ACLs in one go (Note: This WILL delete the ALL of configured ACLs)'
cisco.asa.asa_acls:
state: deleted
# Commands fired:
# ---------------
# no access-list global_access line 1 extended permit icmp any any log disable
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300
# no access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# After state:
# -------------
#
# vasa#sh access-lists
# Using Gathered
# Before state:
# -------------
#
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Gather listed ACLs with provided configurations
cisco.asa.asa_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "line": 1,
# "log": "disable",
# "protocol": "icmp",
# "source": {
# "any": true
# }
# },
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "any": true
# }
# }
# ],
# "acl_type": "extended",
# "name": "global_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "errors",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# }
# },
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "R1_traffic"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# },
# "time_range": "temp"
# }
# ],
# "acl_type": "extended",
# "name": "temp_access"
# }
# ]
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the exisiting running configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- name: R1_traffic
aces:
- grant: deny
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0
# eq www log default"
# "access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp"
# "access-list R1_traffic
# deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive"
# ]
# Using Parsed
# parsed.cfg
#
# access-list test_access; 2 elements; name hash: 0xaf1b712e
# access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors
# access-list test_R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "line": 2,
# "log": "errors",
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 1,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_R1_TRAFFIC"
# }
# ]
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The configuration as structured data after module completion.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration as structured data prior to module invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device
Sample:
['access-list global_access line 1 extended permit icmp any any log disable']
|
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/cisco/asa/asa_acls_module.html