cisco.asa.asa_acls – Access-Lists resource module
Note
This plugin is part of the cisco.asa collection (version 2.1.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.asa.
To use it in a playbook, specify: cisco.asa.asa_acls.
New in version 1.0.0: of cisco.asa
Synopsis
- This module configures and manages the named or numbered ACLs on ASA platforms.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
dictionary
|
A dictionary of ACL options.
|
|||||||
| acls
list / elements=dictionary
|
A list of Access Control Lists (ACL).
|
|||||||
| aces
list / elements=dictionary
|
The entries within the ACL.
|
|||||||
| destination
dictionary
|
Specify the packet destination.
|
|||||||
| address
string
|
Host address to match, or any single host address.
|
|||||||
| any
boolean
|
|
Match any destination address.
|
||||||
| any4
boolean
|
|
Match any ipv4 destination address.
|
||||||
| any6
boolean
|
|
Match any ipv6 destination address.
|
||||||
| host
string
|
A single destination host
|
|||||||
| interface
string
|
Use interface address as destination address
|
|||||||
| netmask
string
|
Netmask for destination IP address, valid with IPV4 address.
|
|||||||
| object_group
string
|
Network object-group for destination address
|
|||||||
| port_protocol
dictionary
|
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Port range operator
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| service_object_group
string
|
Service object-group for destination port
|
|||||||
| grant
string
|
|
Specify the action.
|
||||||
| inactive
boolean
|
|
Keyword for disabling an ACL element.
|
||||||
| line
integer
|
Use this to specify line number at which ACE should be entered.
Existing ACE can be updated based on the input line number.
It's not a required param in case of configuring the acl, but in case of Delete operation it's required, else Delete operation won't work as expected.
Refer to vendor documentation for valid values.
|
|||||||
| log
string
|
|
Log matches against this entry.
|
||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
protocol type.
|
|||||||
| ahp
boolean
|
|
Authentication Header Protocol.
|
||||||
| eigrp
boolean
|
|
Cisco's EIGRP routing protocol.
|
||||||
| esp
boolean
|
|
Encapsulation Security Payload.
|
||||||
| gre
boolean
|
|
Cisco's GRE tunneling.
|
||||||
| icmp
dictionary
|
Internet Control Message Protocol.
|
|||||||
| alternate_address
boolean
|
|
Alternate address
|
||||||
| conversion_error
boolean
|
|
Datagram conversion
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| information_reply
boolean
|
|
Information replies
|
||||||
| information_request
boolean
|
|
Information requests
|
||||||
| mask_reply
boolean
|
|
Mask replies
|
||||||
| mask_request
boolean
|
|
mask_request
|
||||||
| mobile_redirect
boolean
|
|
Mobile host redirect
|
||||||
| parameter_problem
boolean
|
|
All parameter problems
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_quench
boolean
|
|
Source quenches
|
||||||
| source_route_failed
boolean
|
|
Source route
|
||||||
| time_exceeded
boolean
|
|
All time exceededs
|
||||||
| timestamp_reply
boolean
|
|
Timestamp replies
|
||||||
| timestamp_request
boolean
|
|
Timestamp requests
|
||||||
| traceroute
boolean
|
|
Traceroute
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| icmp6
dictionary
|
Internet Control Message Protocol.
|
|||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| membership_query
boolean
|
|
Membership query
|
||||||
| membership_reduction
boolean
|
|
Membership reduction
|
||||||
| membership_report
boolean
|
|
Membership report
|
||||||
| neighbor_advertisement
boolean
|
|
Neighbor advertisement
|
||||||
| neighbor_redirect
boolean
|
|
Neighbor redirect
|
||||||
| neighbor_solicitation
boolean
|
|
Neighbor_solicitation
|
||||||
| packet_too_big
boolean
|
|
Packet too big
|
||||||
| parameter_problem
boolean
|
|
Parameter problem
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_renumbering
boolean
|
|
Router renumbering
|
||||||
| router_solicitation
boolean
|
|
Router solicitation
|
||||||
| time_exceeded
boolean
|
|
Time exceeded
|
||||||
| unreachable
boolean
|
|
All unreachables
|
||||||
| igmp
boolean
|
|
Internet Gateway Message Protocol.
|
||||||
| igrp
boolean
|
|
Internet Gateway Routing Protocol.
|
||||||
| ip
boolean
|
|
Any Internet Protocol.
|
||||||
| ipinip
boolean
|
|
IP in IP tunneling.
|
||||||
| ipsec
boolean
|
|
IP Security.
|
||||||
| nos
boolean
|
|
KA9Q NOS compatible IP over IP tunneling.
|
||||||
| ospf
boolean
|
|
OSPF routing protocol.
|
||||||
| pcp
boolean
|
|
Payload Compression Protocol.
|
||||||
| pim
boolean
|
|
Protocol Independent Multicast.
|
||||||
| pptp
boolean
|
|
Point-to-Point Tunneling Protocol.
|
||||||
| protocol_number
integer
|
An IP protocol number
|
|||||||
| sctp
boolean
|
|
Stream Control Transmission Protocol.
|
||||||
| snp
boolean
|
|
Simple Network Protocol.
|
||||||
| tcp
boolean
|
|
Match TCP packet flags
|
||||||
| udp
boolean
|
|
User Datagram Protocol.
|
||||||
| remark
string
|
Specify a comment (remark) for the access-list after this keyword
|
|||||||
| source
dictionary
|
Specify the packet source.
|
|||||||
| address
string
|
Source network address.
|
|||||||
| any
boolean
|
|
Match any source address.
|
||||||
| any4
boolean
|
|
Match any ipv4 source address.
|
||||||
| any6
boolean
|
|
Match any ipv6 source address.
|
||||||
| host
string
|
A single source host
|
|||||||
| interface
string
|
Use interface address as source address
|
|||||||
| netmask
string
|
Netmask for source IP address, valid with IPV4 address.
|
|||||||
| object_group
string
|
Network object-group for source address
|
|||||||
| port_protocol
dictionary
|
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| gt
string
|
Match only packets with a greater port number.
|
|||||||
| lt
string
|
Match only packets with a lower port number.
|
|||||||
| neq
string
|
Match only packets not on a given port number.
|
|||||||
| range
dictionary
|
Port range operator
|
|||||||
| end
integer
|
Specify the end of the port range.
|
|||||||
| start
integer
|
Specify the start of the port range.
|
|||||||
| time_range
string
|
Specify a time-range.
|
|||||||
| acl_type
string
|
|
ACL type
|
||||||
| name
string / required
|
The name or the number of the ACL.
|
|||||||
| rename
string
|
Rename an existing access-list.
If input to rename param is given, it'll take preference over other parameters and only rename config will be matched and computed against.
|
|||||||
| running_config
string
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison.
|
|||||||
| state
string
|
|
The state of the configuration after module completion
|
||||||
Notes
Note
- Tested against Cisco ASA Version 9.10(1)11
- This module works with connection
network_cli. See ASA Platform Options.
Examples
# Using merged
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Merge provided configuration with device configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- grant: deny
line: 3
protocol_options:
tcp: true
source:
interface: management
destination:
interface: management
port_protocol:
eq: www
log: warnings
- grant: deny
line: 4
protocol_options:
tcp: true
source:
object_group: test_og_network
destination:
object_group: test_network_og
port_protocol:
eq: www
log: default
- name: global_access
acl_type: extended
aces:
- line: 3
remark: test global access
- grant: deny
line: 4
protocol_options:
tcp: true
source:
any: true
destination:
any: true
port_protocol:
eq: www
log: errors
- name: R1_traffic
aces:
- line: 1
remark: test_v6_acls
- grant: deny
line: 2
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: merged
# Commands fired:
# ---------------
# access-list global_access line 3 remark test global access
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# access-list temp_access line 2 extended deny tcp interface management interface management
# eq www log warnings
# access-list test_access line 3 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default
# After state:
# ------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 remark test global access (hitcnt=0) 0xae78337e
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# access-list test_access line 3
# extended deny tcp interface management interface management eq www log warnings
# interval 300 (hitcnt=0) 0x78aa233d
# access-list test_access line 2 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default (hitcnt=0) 0x477aec1e
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.1 eq www
# log default (hitcnt=0) 0xdc7edff8
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.2 eq www
# log default (hitcnt=0) 0x7b0e9fde
# access-list test_access line 2 extended deny tcp 198.51.100.0 255.255.255.0 2001:db8:3::/64 eq www
# log default (hitcnt=0) 0x97c75adc
# Using Merged to Rename ACLs
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Rename ACL with different name using Merged state
cisco.asa.asa_acls:
config:
acls:
- name: global_access
rename: global_access_renamed
- name: R1_traffic
rename: R1_traffic_renamed
state: merged
# Commands fired:
# ---------------
# access-list global_access rename global_access_renamed
# access-list R1_traffic rename R1_traffic_renamed
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access_renamed; 2 elements; name hash: 0xbd6c87a7
# access-list global_access_renamed line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access_renamed line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic_renamed; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic_renamed line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# Using replaced
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Replaces device configuration of listed acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: replaced
# Commands fired:
# ---------------
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet
# 192.0.5.0 255.255.255.0 eq www (hitcnt=0) 0x3e5b2757
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# Using overridden
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Override device configuration of all acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: overridden
# Commands fired:
# ---------------
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 time-range temp
# no access-list temp_access line 1
# extended grant deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list R1_traffic line 2
# extended grant deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list R1_traffic line 1
# extended grant deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www log errors
# no access-list global_access line 3 extended grant deny tcp any any eq www log errors
# no access-list global_access line 2 extended grant deny tcp any any eq telnet
# no access-list global_access line 1 extended grant permit icmp any any log disable
# access-list global_access line 4 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# Using Deleted
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: "Delete module attributes of given acl (Note: This won't delete ALL of the ACLs configured)"
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
- name: global_access
state: deleted
# Commands fired:
# ---------------
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# After state:
# -------------
#
# vasa#sh access-lists
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured resource module attributes)"
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: 'Delete ALL ACLs in one go (Note: This WILL delete the ALL of configured ACLs)'
cisco.asa.asa_acls:
state: deleted
# Commands fired:
# ---------------
# no access-list global_access line 1 extended permit icmp any any log disable
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300
# no access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# After state:
# -------------
#
# vasa#sh access-lists
# Using Gathered
# Before state:
# -------------
#
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Gather listed ACLs with provided configurations
cisco.asa.asa_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "line": 1,
# "log": "disable",
# "protocol": "icmp",
# "source": {
# "any": true
# }
# },
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "any": true
# }
# }
# ],
# "acl_type": "extended",
# "name": "global_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "errors",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# }
# },
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "R1_traffic"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# },
# "time_range": "temp"
# }
# ],
# "acl_type": "extended",
# "name": "temp_access"
# }
# ]
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the exisiting running configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- name: R1_traffic
aces:
- grant: deny
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0
# eq www log default"
# "access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp"
# "access-list R1_traffic
# deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive"
# ]
# Using Parsed
# parsed.cfg
#
# access-list test_access; 2 elements; name hash: 0xaf1b712e
# access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors
# access-list test_R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "line": 2,
# "log": "errors",
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 1,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_R1_TRAFFIC"
# }
# ]
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The configuration as structured data after module completion.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration as structured data prior to module invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device
Sample:
['access-list global_access line 1 extended permit icmp any any log disable']
|
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cisco/asa/asa_acls_module.html