cisco.asa.asa_acls – Access-Lists resource module
Note
This plugin is part of the cisco.asa collection (version 1.0.4).
To install it use: ansible-galaxy collection install cisco.asa
.
To use it in a playbook, specify: cisco.asa.asa_acls
.
New in version 1.0.0: of cisco.asa
Synopsis
- This module configures and manages the named or numbered ACLs on ASA platforms.
Note
This module has a corresponding action plugin.
Parameters
Parameter | Choices/Defaults | Comments | ||||||
---|---|---|---|---|---|---|---|---|
config dictionary | A dictionary of ACL options. | |||||||
acls list / elements=dictionary | A list of Access Control Lists (ACL). | |||||||
aces list / elements=dictionary | The entries within the ACL. | |||||||
destination dictionary | Specify the packet destination. | |||||||
address string | Host address to match, or any single host address. | |||||||
any boolean |
| Match any destination address. | ||||||
any4 boolean |
| Match any ipv4 destination address. | ||||||
any6 boolean |
| Match any ipv6 destination address. | ||||||
host string | A single destination host | |||||||
interface string | Use interface address as destination address | |||||||
netmask string | Netmask for destination IP address, valid with IPV4 address. | |||||||
object_group string | Network object-group for destination address | |||||||
port_protocol dictionary | Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
eq string | Match only packets on a given port number. | |||||||
gt string | Match only packets with a greater port number. | |||||||
lt string | Match only packets with a lower port number. | |||||||
neq string | Match only packets not on a given port number. | |||||||
range dictionary | Port range operator | |||||||
end integer | Specify the end of the port range. | |||||||
start integer | Specify the start of the port range. | |||||||
grant string |
| Specify the action. | ||||||
inactive boolean |
| Keyword for disabling an ACL element. | ||||||
line integer | Use this to specify line number at which ACE should be entered. Existing ACE can be updated based on the input line number. It's not a required param in case of configuring the acl, but in case of Delete operation it's required, else Delete operation won't work as expected. Refer to vendor documentation for valid values. | |||||||
log string |
| Log matches against this entry. | ||||||
protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
protocol_options dictionary | protocol type. | |||||||
ahp boolean |
| Authentication Header Protocol. | ||||||
eigrp boolean |
| Cisco's EIGRP routing protocol. | ||||||
esp boolean |
| Encapsulation Security Payload. | ||||||
gre boolean |
| Cisco's GRE tunneling. | ||||||
icmp dictionary | Internet Control Message Protocol. | |||||||
alternate_address boolean |
| Alternate address | ||||||
conversion_error boolean |
| Datagram conversion | ||||||
echo boolean |
| Echo (ping) | ||||||
echo_reply boolean |
| Echo reply | ||||||
information_reply boolean |
| Information replies | ||||||
information_request boolean |
| Information requests | ||||||
mask_reply boolean |
| Mask replies | ||||||
mask_request boolean |
| mask_request | ||||||
mobile_redirect boolean |
| Mobile host redirect | ||||||
parameter_problem boolean |
| All parameter problems | ||||||
redirect boolean |
| All redirects | ||||||
router_advertisement boolean |
| Router discovery advertisements | ||||||
router_solicitation boolean |
| Router discovery solicitations | ||||||
source_quench boolean |
| Source quenches | ||||||
source_route_failed boolean |
| Source route | ||||||
time_exceeded boolean |
| All time exceededs | ||||||
timestamp_reply boolean |
| Timestamp replies | ||||||
timestamp_request boolean |
| Timestamp requests | ||||||
traceroute boolean |
| Traceroute | ||||||
unreachable boolean |
| All unreachables | ||||||
icmp6 dictionary | Internet Control Message Protocol. | |||||||
echo boolean |
| Echo (ping) | ||||||
echo_reply boolean |
| Echo reply | ||||||
membership_query boolean |
| Membership query | ||||||
membership_reduction boolean |
| Membership reduction | ||||||
membership_report boolean |
| Membership report | ||||||
neighbor_advertisement boolean |
| Neighbor advertisement | ||||||
neighbor_redirect boolean |
| Neighbor redirect | ||||||
neighbor_solicitation boolean |
| Neighbor_solicitation | ||||||
packet_too_big boolean |
| Packet too big | ||||||
parameter_problem boolean |
| Parameter problem | ||||||
router_advertisement boolean |
| Router discovery advertisements | ||||||
router_renumbering boolean |
| Router renumbering | ||||||
router_solicitation boolean |
| Router solicitation | ||||||
time_exceeded boolean |
| Time exceeded | ||||||
unreachable boolean |
| All unreachables | ||||||
igmp boolean |
| Internet Gateway Message Protocol. | ||||||
igrp boolean |
| Internet Gateway Routing Protocol. | ||||||
ip boolean |
| Any Internet Protocol. | ||||||
ipinip boolean |
| IP in IP tunneling. | ||||||
ipsec boolean |
| IP Security. | ||||||
nos boolean |
| KA9Q NOS compatible IP over IP tunneling. | ||||||
ospf boolean |
| OSPF routing protocol. | ||||||
pcp boolean |
| Payload Compression Protocol. | ||||||
pim boolean |
| Protocol Independent Multicast. | ||||||
pptp boolean |
| Point-to-Point Tunneling Protocol. | ||||||
protocol_number integer | An IP protocol number | |||||||
sctp boolean |
| Stream Control Transmission Protocol. | ||||||
snp boolean |
| Simple Network Protocol. | ||||||
tcp boolean |
| Match TCP packet flags | ||||||
udp boolean |
| User Datagram Protocol. | ||||||
remark string | Specify a comment (remark) for the access-list after this keyword | |||||||
source dictionary | Specify the packet source. | |||||||
address string | Source network address. | |||||||
any boolean |
| Match any source address. | ||||||
any4 boolean |
| Match any ipv4 source address. | ||||||
any6 boolean |
| Match any ipv6 source address. | ||||||
host string | A single source host | |||||||
interface string | Use interface address as source address | |||||||
netmask string | Netmask for source IP address, valid with IPV4 address. | |||||||
object_group string | Network object-group for source address | |||||||
port_protocol dictionary | Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options | |||||||
eq string | Match only packets on a given port number. | |||||||
gt string | Match only packets with a greater port number. | |||||||
lt string | Match only packets with a lower port number. | |||||||
neq string | Match only packets not on a given port number. | |||||||
range dictionary | Port range operator | |||||||
end integer | Specify the end of the port range. | |||||||
start integer | Specify the start of the port range. | |||||||
time_range string | Specify a time-range. | |||||||
acl_type string |
| ACL type | ||||||
name string / required | The name or the number of the ACL. | |||||||
rename string | Rename an existing access-list. If input to rename param is given, it'll take preference over other parameters and only rename config will be matched and computed against. | |||||||
running_config string | The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. | |||||||
state string |
| The state of the configuration after module completion |
Notes
Note
- Tested against Cisco ASA Version 9.10(1)11
- This module works with connection
network_cli
. See ASA Platform Options.
Examples
# Using merged # Before state: # ------------- # # vasa#sh access-lists # access-list global_access; 2 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 - name: Merge provided configuration with device configuration cisco.asa.asa_acls: config: acls: - name: temp_access acl_type: extended aces: - grant: deny line: 1 protocol_options: tcp: true source: address: 192.0.2.0 netmask: 255.255.255.0 destination: address: 192.0.3.0 netmask: 255.255.255.0 port_protocol: eq: www log: default - grant: deny line: 2 protocol_options: igrp: true source: address: 198.51.100.0 netmask: 255.255.255.0 destination: address: 198.51.110.0 netmask: 255.255.255.0 time_range: temp - grant: deny line: 3 protocol_options: tcp: true source: interface: management destination: interface: management port_protocol: eq: www log: warnings - grant: deny line: 4 protocol_options: tcp: true source: object_group: test_og_network destination: object_group: test_network_og port_protocol: eq: www log: default - name: global_access acl_type: extended aces: - line: 3 remark: test global access - grant: deny line: 4 protocol_options: tcp: true source: any: true destination: any: true port_protocol: eq: www log: errors - name: R1_traffic aces: - line: 1 remark: test_v6_acls - grant: deny line: 2 protocol_options: tcp: true source: address: 2001:db8:0:3::/64 port_protocol: eq: www destination: address: 2001:fc8:0:4::/64 port_protocol: eq: telnet inactive: true state: merged # Commands fired: # --------------- # access-list global_access line 3 remark test global access # access-list global_access line 4 extended deny tcp any any eq www log errors interval 300 # access-list R1_traffic line 1 remark test_v6_acls # access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive # access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default # access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp inactive # access-list temp_access line 2 extended deny tcp interface management interface management # eq www log warnings # access-list test_access line 3 extended deny tcp object-group test_og_network object-group test_network_og # eq www log default # After state: # ------------ # # vasa#sh access-lists # access-list global_access; 3 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list global_access line 3 remark test global access (hitcnt=0) 0xae78337e # access-list global_access line 4 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421 # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 remark test_v6_acls # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae # access-list test_access line 3 # extended deny tcp interface management interface management eq www log warnings # interval 300 (hitcnt=0) 0x78aa233d # access-list test_access line 2 extended deny tcp object-group test_og_network object-group test_network_og # eq www log default (hitcnt=0) 0x477aec1e # access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.1 eq www # log default (hitcnt=0) 0xdc7edff8 # access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.2 eq www # log default (hitcnt=0) 0x7b0e9fde # access-list test_access line 2 extended deny tcp 198.51.100.0 255.255.255.0 2001:db8:3::/64 eq www # log default (hitcnt=0) 0x97c75adc # Using Merged to Rename ACLs # Before state: # ------------- # # vasa#sh access-lists # access-list global_access; 2 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 - name: Rename ACL with different name using Merged state cisco.asa.asa_acls: config: acls: - name: global_access rename: global_access_renamed - name: R1_traffic rename: R1_traffic_renamed state: merged # Commands fired: # --------------- # access-list global_access rename global_access_renamed # access-list R1_traffic rename R1_traffic_renamed # After state: # ------------- # # vasa#sh access-lists # access-list global_access_renamed; 2 elements; name hash: 0xbd6c87a7 # access-list global_access_renamed line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access_renamed line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list R1_traffic_renamed; 1 elements; name hash: 0xaf40d3c2 # access-list R1_traffic_renamed line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # Using replaced # Before state: # ------------- # # vasa#sh access-lists # access-list global_access; 3 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421 # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae - name: Replaces device configuration of listed acl with provided configuration cisco.asa.asa_acls: config: acls: - name: global_access acl_type: extended aces: - grant: deny line: 1 protocol_options: tcp: true source: address: 192.0.4.0 netmask: 255.255.255.0 port_protocol: eq: telnet destination: address: 192.0.5.0 netmask: 255.255.255.0 port_protocol: eq: www state: replaced # Commands fired: # --------------- # no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 # no access-list global_access line 2 extended deny tcp any any eq telnet # no access-list global_access line 1 extended permit icmp any any log disable # access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www # After state: # ------------- # # vasa#sh access-lists # access-list global_access; 1 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet # 192.0.5.0 255.255.255.0 eq www (hitcnt=0) 0x3e5b2757 # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae # Using overridden # Before state: # ------------- # # vasa#sh access-lists # access-list global_access; 3 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421 # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae - name: Override device configuration of all acl with provided configuration cisco.asa.asa_acls: config: acls: - name: global_access acl_type: extended aces: - grant: deny line: 1 protocol_options: tcp: true source: address: 192.0.4.0 netmask: 255.255.255.0 port_protocol: eq: telnet destination: address: 192.0.5.0 netmask: 255.255.255.0 port_protocol: eq: www state: overridden # Commands fired: # --------------- # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 time-range temp # no access-list temp_access line 1 # extended grant deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default # no access-list R1_traffic line 2 # extended grant deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive # no access-list R1_traffic line 1 # extended grant deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www log errors # no access-list global_access line 3 extended grant deny tcp any any eq www log errors # no access-list global_access line 2 extended grant deny tcp any any eq telnet # no access-list global_access line 1 extended grant permit icmp any any log disable # access-list global_access line 4 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www # After state: # ------------- # # vasa#sh access-lists # access-list global_access; 1 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # Using Deleted # Before state: # ------------- # # vasa#sh access-lists # access-list global_access; 3 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421 # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae - name: "Delete module attributes of given acl (Note: This won't delete ALL of the ACLs configured)" cisco.asa.asa_acls: config: acls: - name: temp_access - name: global_access state: deleted # Commands fired: # --------------- # no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp inactive # no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default # no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 # no access-list global_access line 2 extended deny tcp any any eq telnet # no access-list global_access line 1 extended permit icmp any any log disable # After state: # ------------- # # vasa#sh access-lists # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # Using Deleted without any config passed #"(NOTE: This will delete all of configured resource module attributes)" # Before state: # ------------- # # vasa#sh access-lists # access-list global_access; 3 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421 # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae - name: 'Delete ALL ACLs in one go (Note: This WILL delete the ALL of configured ACLs)' cisco.asa.asa_acls: state: deleted # Commands fired: # --------------- # no access-list global_access line 1 extended permit icmp any any log disable # no access-list global_access line 2 extended deny tcp any any eq telnet # no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 # no access-list R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 # no access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive # no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default # no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp inactive # After state: # ------------- # # vasa#sh access-lists # Using Gathered # Before state: # ------------- # # access-list global_access; 3 elements; name hash: 0xbd6c87a7 # access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630 # access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af # access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2 # access-list R1_traffic line 1 # extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www # log errors interval 300 (hitcnt=0) 0x4a4660f3 # access-list R1_traffic line 2 # extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet # inactive (hitcnt=0) (inactive) 0xe922b432 # access-list temp_access; 2 elements; name hash: 0xaf1b712e # access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www # log default (hitcnt=0) 0xb58abb0d # access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp (hitcnt=0) (inactive) 0xcd6b92ae - name: Gather listed ACLs with provided configurations cisco.asa.asa_acls: config: state: gathered # Module Execution Result: # ------------------------ # # "gathered": [ # { # "acls": [ # { # "aces": [ # { # "destination": { # "any": true # }, # "grant": "permit", # "line": 1, # "log": "disable", # "protocol": "icmp", # "source": { # "any": true # } # }, # { # "destination": { # "any": true, # "port_protocol": { # "eq": "telnet" # } # }, # "grant": "deny", # "line": 2, # "protocol": "tcp", # "protocol_options": { # "tcp": true # }, # "source": { # "any": true # } # } # ], # "acl_type": "extended", # "name": "global_access" # }, # { # "aces": [ # { # "destination": { # "address": "2001:fc8:0:4::/64", # "port_protocol": { # "eq": "www" # } # }, # "grant": "deny", # "line": 1, # "log": "errors", # "protocol": "tcp", # "protocol_options": { # "tcp": true # }, # "source": { # "address": "2001:db8:0:3::/64", # "port_protocol": { # "eq": "telnet" # } # } # }, # { # "destination": { # "address": "2001:fc8:0:4::/64", # "port_protocol": { # "eq": "telnet" # } # }, # "grant": "deny", # "inactive": true, # "line": 2, # "protocol": "tcp", # "protocol_options": { # "tcp": true # }, # "source": { # "address": "2001:db8:0:3::/64", # "port_protocol": { # "eq": "www" # } # } # } # ], # "acl_type": "extended", # "name": "R1_traffic" # }, # { # "aces": [ # { # "destination": { # "address": "192.0.3.0", # "netmask": "255.255.255.0", # "port_protocol": { # "eq": "www" # } # }, # "grant": "deny", # "line": 1, # "log": "default", # "protocol": "tcp", # "protocol_options": { # "tcp": true # }, # "source": { # "address": "192.0.2.0", # "netmask": "255.255.255.0" # } # }, # { # "destination": { # "address": "198.51.110.0", # "netmask": "255.255.255.0" # }, # "grant": "deny", # "inactive": true, # "line": 2, # "protocol": "igrp", # "protocol_options": { # "igrp": true # }, # "source": { # "address": "198.51.100.0", # "netmask": "255.255.255.0" # }, # "time_range": "temp" # } # ], # "acl_type": "extended", # "name": "temp_access" # } # ] # } # ] # Using Rendered - name: Rendered the provided configuration with the exisiting running configuration cisco.asa.asa_acls: config: acls: - name: temp_access acl_type: extended aces: - grant: deny line: 1 protocol_options: tcp: true source: address: 192.0.2.0 netmask: 255.255.255.0 destination: address: 192.0.3.0 netmask: 255.255.255.0 port_protocol: eq: www log: default - grant: deny line: 2 protocol_options: igrp: true source: address: 198.51.100.0 netmask: 255.255.255.0 destination: address: 198.51.110.0 netmask: 255.255.255.0 time_range: temp - name: R1_traffic aces: - grant: deny protocol_options: tcp: true source: address: 2001:db8:0:3::/64 port_protocol: eq: www destination: address: 2001:fc8:0:4::/64 port_protocol: eq: telnet inactive: true state: rendered # Module Execution Result: # ------------------------ # # "rendered": [ # "access-list temp_access line 1 # extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 # eq www log default" # "access-list temp_access line 2 # extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 # time-range temp" # "access-list R1_traffic # deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive" # ] # Using Parsed # parsed.cfg # # access-list test_access; 2 elements; name hash: 0xaf1b712e # access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default # access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors # access-list test_R1_traffic; 1 elements; name hash: 0xaf40d3c2 # access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive - name: Parse the commands for provided configuration cisco.asa.asa_acls: running_config: "{{ lookup('file', 'parsed.cfg') }}" state: parsed # Module Execution Result: # ------------------------ # # "parsed": [ # { # "acls": [ # { # "aces": [ # { # "destination": { # "address": "192.0.3.0", # "netmask": "255.255.255.0", # "port_protocol": { # "eq": "www" # } # }, # "grant": "deny", # "line": 1, # "log": "default", # "protocol": "tcp", # "protocol_options": { # "tcp": true # }, # "source": { # "address": "192.0.2.0", # "netmask": "255.255.255.0" # } # }, # { # "destination": { # "address": "198.51.110.0", # "netmask": "255.255.255.0" # }, # "grant": "deny", # "line": 2, # "log": "errors", # "protocol": "igrp", # "protocol_options": { # "igrp": true # }, # "source": { # "address": "198.51.100.0", # "netmask": "255.255.255.0" # } # } # ], # "acl_type": "extended", # "name": "test_access" # }, # { # "aces": [ # { # "destination": { # "address": "2001:fc8:0:4::/64", # "port_protocol": { # "eq": "telnet" # } # }, # "grant": "deny", # "inactive": true, # "line": 1, # "protocol": "tcp", # "protocol_options": { # "tcp": true # }, # "source": { # "address": "2001:db8:0:3::/64", # "port_protocol": { # "eq": "www" # } # } # } # ], # "acl_type": "extended", # "name": "test_R1_TRAFFIC" # } # ] # } # ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
after list / elements=string | when changed | The configuration as structured data after module completion. Sample: The configuration returned will always be in the same format of the parameters above. |
before list / elements=string | always | The configuration as structured data prior to module invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
commands list / elements=string | always | The set of commands pushed to the remote device Sample: ['access-list global_access line 1 extended permit icmp any any log disable'] |
Authors
- Sumit Jaiswal (@justjais)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/cisco/asa/asa_acls_module.html