cisco.asa.asa_acls – Access-Lists resource module
Note
This plugin is part of the cisco.asa collection (version 1.0.4).
To install it use: ansible-galaxy collection install cisco.asa.
To use it in a playbook, specify: cisco.asa.asa_acls.
New in version 1.0.0: of cisco.asa
Synopsis
- This module configures and manages the named or numbered ACLs on ASA platforms.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config dictionary | A dictionary of ACL options. | |||||||
| acls list / elements=dictionary | A list of Access Control Lists (ACL). | |||||||
| aces list / elements=dictionary | The entries within the ACL. | |||||||
| destination dictionary | Specify the packet destination. | |||||||
| address string | Host address to match, or any single host address. | |||||||
| any boolean |
| Match any destination address. | ||||||
| any4 boolean |
| Match any ipv4 destination address. | ||||||
| any6 boolean |
| Match any ipv6 destination address. | ||||||
| host string | A single destination host | |||||||
| interface string | Use interface address as destination address | |||||||
| netmask string | Netmask for destination IP address, valid with IPV4 address. | |||||||
| object_group string | Network object-group for destination address | |||||||
| port_protocol dictionary | Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
| eq string | Match only packets on a given port number. | |||||||
| gt string | Match only packets with a greater port number. | |||||||
| lt string | Match only packets with a lower port number. | |||||||
| neq string | Match only packets not on a given port number. | |||||||
| range dictionary | Port range operator | |||||||
| end integer | Specify the end of the port range. | |||||||
| start integer | Specify the start of the port range. | |||||||
| grant string |
| Specify the action. | ||||||
| inactive boolean |
| Keyword for disabling an ACL element. | ||||||
| line integer | Use this to specify line number at which ACE should be entered. Existing ACE can be updated based on the input line number. It's not a required param in case of configuring the acl, but in case of Delete operation it's required, else Delete operation won't work as expected. Refer to vendor documentation for valid values. | |||||||
| log string |
| Log matches against this entry. | ||||||
| protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
| protocol_options dictionary | protocol type. | |||||||
| ahp boolean |
| Authentication Header Protocol. | ||||||
| eigrp boolean |
| Cisco's EIGRP routing protocol. | ||||||
| esp boolean |
| Encapsulation Security Payload. | ||||||
| gre boolean |
| Cisco's GRE tunneling. | ||||||
| icmp dictionary | Internet Control Message Protocol. | |||||||
| alternate_address boolean |
| Alternate address | ||||||
| conversion_error boolean |
| Datagram conversion | ||||||
| echo boolean |
| Echo (ping) | ||||||
| echo_reply boolean |
| Echo reply | ||||||
| information_reply boolean |
| Information replies | ||||||
| information_request boolean |
| Information requests | ||||||
| mask_reply boolean |
| Mask replies | ||||||
| mask_request boolean |
| mask_request | ||||||
| mobile_redirect boolean |
| Mobile host redirect | ||||||
| parameter_problem boolean |
| All parameter problems | ||||||
| redirect boolean |
| All redirects | ||||||
| router_advertisement boolean |
| Router discovery advertisements | ||||||
| router_solicitation boolean |
| Router discovery solicitations | ||||||
| source_quench boolean |
| Source quenches | ||||||
| source_route_failed boolean |
| Source route | ||||||
| time_exceeded boolean |
| All time exceededs | ||||||
| timestamp_reply boolean |
| Timestamp replies | ||||||
| timestamp_request boolean |
| Timestamp requests | ||||||
| traceroute boolean |
| Traceroute | ||||||
| unreachable boolean |
| All unreachables | ||||||
| icmp6 dictionary | Internet Control Message Protocol. | |||||||
| echo boolean |
| Echo (ping) | ||||||
| echo_reply boolean |
| Echo reply | ||||||
| membership_query boolean |
| Membership query | ||||||
| membership_reduction boolean |
| Membership reduction | ||||||
| membership_report boolean |
| Membership report | ||||||
| neighbor_advertisement boolean |
| Neighbor advertisement | ||||||
| neighbor_redirect boolean |
| Neighbor redirect | ||||||
| neighbor_solicitation boolean |
| Neighbor_solicitation | ||||||
| packet_too_big boolean |
| Packet too big | ||||||
| parameter_problem boolean |
| Parameter problem | ||||||
| router_advertisement boolean |
| Router discovery advertisements | ||||||
| router_renumbering boolean |
| Router renumbering | ||||||
| router_solicitation boolean |
| Router solicitation | ||||||
| time_exceeded boolean |
| Time exceeded | ||||||
| unreachable boolean |
| All unreachables | ||||||
| igmp boolean |
| Internet Gateway Message Protocol. | ||||||
| igrp boolean |
| Internet Gateway Routing Protocol. | ||||||
| ip boolean |
| Any Internet Protocol. | ||||||
| ipinip boolean |
| IP in IP tunneling. | ||||||
| ipsec boolean |
| IP Security. | ||||||
| nos boolean |
| KA9Q NOS compatible IP over IP tunneling. | ||||||
| ospf boolean |
| OSPF routing protocol. | ||||||
| pcp boolean |
| Payload Compression Protocol. | ||||||
| pim boolean |
| Protocol Independent Multicast. | ||||||
| pptp boolean |
| Point-to-Point Tunneling Protocol. | ||||||
| protocol_number integer | An IP protocol number | |||||||
| sctp boolean |
| Stream Control Transmission Protocol. | ||||||
| snp boolean |
| Simple Network Protocol. | ||||||
| tcp boolean |
| Match TCP packet flags | ||||||
| udp boolean |
| User Datagram Protocol. | ||||||
| remark string | Specify a comment (remark) for the access-list after this keyword | |||||||
| source dictionary | Specify the packet source. | |||||||
| address string | Source network address. | |||||||
| any boolean |
| Match any source address. | ||||||
| any4 boolean |
| Match any ipv4 source address. | ||||||
| any6 boolean |
| Match any ipv6 source address. | ||||||
| host string | A single source host | |||||||
| interface string | Use interface address as source address | |||||||
| netmask string | Netmask for source IP address, valid with IPV4 address. | |||||||
| object_group string | Network object-group for source address | |||||||
| port_protocol dictionary | Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
| eq string | Match only packets on a given port number. | |||||||
| gt string | Match only packets with a greater port number. | |||||||
| lt string | Match only packets with a lower port number. | |||||||
| neq string | Match only packets not on a given port number. | |||||||
| range dictionary | Port range operator | |||||||
| end integer | Specify the end of the port range. | |||||||
| start integer | Specify the start of the port range. | |||||||
| time_range string | Specify a time-range. | |||||||
| acl_type string |
| ACL type | ||||||
| name string / required | The name or the number of the ACL. | |||||||
| rename string | Rename an existing access-list. If input to rename param is given, it'll take preference over other parameters and only rename config will be matched and computed against. | |||||||
| running_config string | The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. | |||||||
| state string |
| The state of the configuration after module completion | ||||||
Notes
Note
- Tested against Cisco ASA Version 9.10(1)11
- This module works with connection
network_cli. See ASA Platform Options.
Examples
# Using merged
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Merge provided configuration with device configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- grant: deny
line: 3
protocol_options:
tcp: true
source:
interface: management
destination:
interface: management
port_protocol:
eq: www
log: warnings
- grant: deny
line: 4
protocol_options:
tcp: true
source:
object_group: test_og_network
destination:
object_group: test_network_og
port_protocol:
eq: www
log: default
- name: global_access
acl_type: extended
aces:
- line: 3
remark: test global access
- grant: deny
line: 4
protocol_options:
tcp: true
source:
any: true
destination:
any: true
port_protocol:
eq: www
log: errors
- name: R1_traffic
aces:
- line: 1
remark: test_v6_acls
- grant: deny
line: 2
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: merged
# Commands fired:
# ---------------
# access-list global_access line 3 remark test global access
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# access-list temp_access line 2 extended deny tcp interface management interface management
# eq www log warnings
# access-list test_access line 3 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default
# After state:
# ------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 remark test global access (hitcnt=0) 0xae78337e
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# access-list test_access line 3
# extended deny tcp interface management interface management eq www log warnings
# interval 300 (hitcnt=0) 0x78aa233d
# access-list test_access line 2 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default (hitcnt=0) 0x477aec1e
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.1 eq www
# log default (hitcnt=0) 0xdc7edff8
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.2 eq www
# log default (hitcnt=0) 0x7b0e9fde
# access-list test_access line 2 extended deny tcp 198.51.100.0 255.255.255.0 2001:db8:3::/64 eq www
# log default (hitcnt=0) 0x97c75adc
# Using Merged to Rename ACLs
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Rename ACL with different name using Merged state
cisco.asa.asa_acls:
config:
acls:
- name: global_access
rename: global_access_renamed
- name: R1_traffic
rename: R1_traffic_renamed
state: merged
# Commands fired:
# ---------------
# access-list global_access rename global_access_renamed
# access-list R1_traffic rename R1_traffic_renamed
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access_renamed; 2 elements; name hash: 0xbd6c87a7
# access-list global_access_renamed line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access_renamed line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic_renamed; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic_renamed line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# Using replaced
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Replaces device configuration of listed acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: replaced
# Commands fired:
# ---------------
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet
# 192.0.5.0 255.255.255.0 eq www (hitcnt=0) 0x3e5b2757
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# Using overridden
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Override device configuration of all acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: overridden
# Commands fired:
# ---------------
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 time-range temp
# no access-list temp_access line 1
# extended grant deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list R1_traffic line 2
# extended grant deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list R1_traffic line 1
# extended grant deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www log errors
# no access-list global_access line 3 extended grant deny tcp any any eq www log errors
# no access-list global_access line 2 extended grant deny tcp any any eq telnet
# no access-list global_access line 1 extended grant permit icmp any any log disable
# access-list global_access line 4 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# Using Deleted
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: "Delete module attributes of given acl (Note: This won't delete ALL of the ACLs configured)"
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
- name: global_access
state: deleted
# Commands fired:
# ---------------
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# After state:
# -------------
#
# vasa#sh access-lists
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured resource module attributes)"
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: 'Delete ALL ACLs in one go (Note: This WILL delete the ALL of configured ACLs)'
cisco.asa.asa_acls:
state: deleted
# Commands fired:
# ---------------
# no access-list global_access line 1 extended permit icmp any any log disable
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300
# no access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# After state:
# -------------
#
# vasa#sh access-lists
# Using Gathered
# Before state:
# -------------
#
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Gather listed ACLs with provided configurations
cisco.asa.asa_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "line": 1,
# "log": "disable",
# "protocol": "icmp",
# "source": {
# "any": true
# }
# },
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "any": true
# }
# }
# ],
# "acl_type": "extended",
# "name": "global_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "errors",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# }
# },
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "R1_traffic"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# },
# "time_range": "temp"
# }
# ],
# "acl_type": "extended",
# "name": "temp_access"
# }
# ]
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the exisiting running configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- name: R1_traffic
aces:
- grant: deny
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0
# eq www log default"
# "access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp"
# "access-list R1_traffic
# deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive"
# ]
# Using Parsed
# parsed.cfg
#
# access-list test_access; 2 elements; name hash: 0xaf1b712e
# access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors
# access-list test_R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "line": 2,
# "log": "errors",
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 1,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_R1_TRAFFIC"
# }
# ]
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after list / elements=string | when changed | The configuration as structured data after module completion. Sample: The configuration returned will always be in the same format of the parameters above. |
| before list / elements=string | always | The configuration as structured data prior to module invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| commands list / elements=string | always | The set of commands pushed to the remote device Sample: ['access-list global_access line 1 extended permit icmp any any log disable'] |
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/cisco/asa/asa_acls_module.html