cisco.asa.asa_acls module – Access-Lists resource module
Note
This module is part of the cisco.asa collection (version 2.1.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cisco.asa
.
To use it in a playbook, specify: cisco.asa.asa_acls
.
New in version 1.0.0: of cisco.asa
Synopsis
This module configures and manages the named or numbered ACLs on ASA platforms.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
---|---|
A dictionary of ACL options. |
|
A list of Access Control Lists (ACL). |
|
The entries within the ACL. |
|
Specify the packet destination. |
|
Host address to match, or any single host address. |
|
Match any destination address. Choices:
|
|
Match any ipv4 destination address. Choices:
|
|
Match any ipv6 destination address. Choices:
|
|
A single destination host |
|
Use interface address as destination address |
|
Netmask for destination IP address, valid with IPV4 address. |
|
Network object-group for destination address |
|
Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Port range operator |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Service object-group for destination port |
|
Specify the action. Choices:
|
|
Keyword for disabling an ACL element. Choices:
|
|
Use this to specify line number at which ACE should be entered. Existing ACE can be updated based on the input line number. It’s not a required param in case of configuring the acl, but in case of Delete operation it’s required, else Delete operation won’t work as expected. Refer to vendor documentation for valid values. |
|
Log matches against this entry. Choices:
|
|
Specify the protocol to match. Refer to vendor documentation for valid values. |
|
protocol type. |
|
Authentication Header Protocol. Choices:
|
|
Cisco’s EIGRP routing protocol. Choices:
|
|
Encapsulation Security Payload. Choices:
|
|
Cisco’s GRE tunneling. Choices:
|
|
Internet Control Message Protocol. |
|
Alternate address Choices:
|
|
Datagram conversion Choices:
|
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Information replies Choices:
|
|
Information requests Choices:
|
|
Mask replies Choices:
|
|
mask_request Choices:
|
|
Mobile host redirect Choices:
|
|
All parameter problems Choices:
|
|
All redirects Choices:
|
|
Router discovery advertisements Choices:
|
|
Router discovery solicitations Choices:
|
|
Source quenches Choices:
|
|
Source route Choices:
|
|
All time exceededs Choices:
|
|
Timestamp replies Choices:
|
|
Timestamp requests Choices:
|
|
Traceroute Choices:
|
|
All unreachables Choices:
|
|
Internet Control Message Protocol. |
|
Echo (ping) Choices:
|
|
Echo reply Choices:
|
|
Membership query Choices:
|
|
Membership reduction Choices:
|
|
Membership report Choices:
|
|
Neighbor advertisement Choices:
|
|
Neighbor redirect Choices:
|
|
Neighbor_solicitation Choices:
|
|
Packet too big Choices:
|
|
Parameter problem Choices:
|
|
Router discovery advertisements Choices:
|
|
Router renumbering Choices:
|
|
Router solicitation Choices:
|
|
Time exceeded Choices:
|
|
All unreachables Choices:
|
|
Internet Gateway Message Protocol. Choices:
|
|
Internet Gateway Routing Protocol. Choices:
|
|
Any Internet Protocol. Choices:
|
|
IP in IP tunneling. Choices:
|
|
IP Security. Choices:
|
|
KA9Q NOS compatible IP over IP tunneling. Choices:
|
|
OSPF routing protocol. Choices:
|
|
Payload Compression Protocol. Choices:
|
|
Protocol Independent Multicast. Choices:
|
|
Point-to-Point Tunneling Protocol. Choices:
|
|
An IP protocol number |
|
Stream Control Transmission Protocol. Choices:
|
|
Simple Network Protocol. Choices:
|
|
Match TCP packet flags Choices:
|
|
User Datagram Protocol. Choices:
|
|
Specify a comment (remark) for the access-list after this keyword |
|
Specify the packet source. |
|
Source network address. |
|
Match any source address. Choices:
|
|
Match any ipv4 source address. Choices:
|
|
Match any ipv6 source address. Choices:
|
|
A single source host |
|
Use interface address as source address |
|
Netmask for source IP address, valid with IPV4 address. |
|
Network object-group for source address |
|
Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options |
|
Match only packets on a given port number. |
|
Match only packets with a greater port number. |
|
Match only packets with a lower port number. |
|
Match only packets not on a given port number. |
|
Port range operator |
|
Specify the end of the port range. |
|
Specify the start of the port range. |
|
Specify a time-range. |
|
ACL type Choices:
|
|
The name or the number of the ACL. |
|
Rename an existing access-list. If input to rename param is given, it’ll take preference over other parameters and only rename config will be matched and computed against. |
|
The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The running_config argument allows the implementer to pass in the configuration to use as the base config for comparison. |
|
The state of the configuration after module completion Choices:
|
Notes
Note
Tested against Cisco ASA Version 9.10(1)11
This module works with connection
network_cli
. See ASA Platform Options.
Examples
# Using merged
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Merge provided configuration with device configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- grant: deny
line: 3
protocol_options:
tcp: true
source:
interface: management
destination:
interface: management
port_protocol:
eq: www
log: warnings
- grant: deny
line: 4
protocol_options:
tcp: true
source:
object_group: test_og_network
destination:
object_group: test_network_og
port_protocol:
eq: www
log: default
- name: global_access
acl_type: extended
aces:
- line: 3
remark: test global access
- grant: deny
line: 4
protocol_options:
tcp: true
source:
any: true
destination:
any: true
port_protocol:
eq: www
log: errors
- name: R1_traffic
aces:
- line: 1
remark: test_v6_acls
- grant: deny
line: 2
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: merged
# Commands fired:
# ---------------
# access-list global_access line 3 remark test global access
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# access-list temp_access line 2 extended deny tcp interface management interface management
# eq www log warnings
# access-list test_access line 3 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default
# After state:
# ------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 remark test global access (hitcnt=0) 0xae78337e
# access-list global_access line 4 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1 remark test_v6_acls
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# access-list test_access line 3
# extended deny tcp interface management interface management eq www log warnings
# interval 300 (hitcnt=0) 0x78aa233d
# access-list test_access line 2 extended deny tcp object-group test_og_network object-group test_network_og
# eq www log default (hitcnt=0) 0x477aec1e
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.1 eq www
# log default (hitcnt=0) 0xdc7edff8
# access-list test_access line 2 extended deny tcp 192.0.2.0 255.255.255.0 host 192.0.3.2 eq www
# log default (hitcnt=0) 0x7b0e9fde
# access-list test_access line 2 extended deny tcp 198.51.100.0 255.255.255.0 2001:db8:3::/64 eq www
# log default (hitcnt=0) 0x97c75adc
# Using Merged to Rename ACLs
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 2 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
- name: Rename ACL with different name using Merged state
cisco.asa.asa_acls:
config:
acls:
- name: global_access
rename: global_access_renamed
- name: R1_traffic
rename: R1_traffic_renamed
state: merged
# Commands fired:
# ---------------
# access-list global_access rename global_access_renamed
# access-list R1_traffic rename R1_traffic_renamed
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access_renamed; 2 elements; name hash: 0xbd6c87a7
# access-list global_access_renamed line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access_renamed line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic_renamed; 1 elements; name hash: 0xaf40d3c2
# access-list R1_traffic_renamed line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# Using replaced
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Replaces device configuration of listed acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: replaced
# Commands fired:
# ---------------
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet
# 192.0.5.0 255.255.255.0 eq www (hitcnt=0) 0x3e5b2757
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
# Using overridden
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Override device configuration of all acl with provided configuration
cisco.asa.asa_acls:
config:
acls:
- name: global_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.4.0
netmask: 255.255.255.0
port_protocol:
eq: telnet
destination:
address: 192.0.5.0
netmask: 255.255.255.0
port_protocol:
eq: www
state: overridden
# Commands fired:
# ---------------
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 time-range temp
# no access-list temp_access line 1
# extended grant deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list R1_traffic line 2
# extended grant deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list R1_traffic line 1
# extended grant deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www log errors
# no access-list global_access line 3 extended grant deny tcp any any eq www log errors
# no access-list global_access line 2 extended grant deny tcp any any eq telnet
# no access-list global_access line 1 extended grant permit icmp any any log disable
# access-list global_access line 4 extended deny tcp 192.0.4.0 255.255.255.0 eq telnet 192.0.5.0 255.255.255.0 eq www
# After state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 1 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# Using Deleted
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: "Delete module attributes of given acl (Note: This won't delete ALL of the ACLs configured)"
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
- name: global_access
state: deleted
# Commands fired:
# ---------------
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 1 extended permit icmp any any log disable
# After state:
# -------------
#
# vasa#sh access-lists
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# Using Deleted without any config passed
#"(NOTE: This will delete all of configured resource module attributes)"
# Before state:
# -------------
#
# vasa#sh access-lists
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list global_access line 3 extended deny tcp any any eq www log errors interval 300 (hitcnt=0) 0x605f2421
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: 'Delete ALL ACLs in one go (Note: This WILL delete the ALL of configured ACLs)'
cisco.asa.asa_acls:
state: deleted
# Commands fired:
# ---------------
# no access-list global_access line 1 extended permit icmp any any log disable
# no access-list global_access line 2 extended deny tcp any any eq telnet
# no access-list global_access line 3 extended deny tcp any any eq www log errors interval 300
# no access-list R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300
# no access-list R1_traffic line 2 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
# no access-list temp_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# no access-list temp_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp inactive
# After state:
# -------------
#
# vasa#sh access-lists
# Using Gathered
# Before state:
# -------------
#
# access-list global_access; 3 elements; name hash: 0xbd6c87a7
# access-list global_access line 1 extended permit icmp any any log disable (hitcnt=0) 0xf1efa630
# access-list global_access line 2 extended deny tcp any any eq telnet (hitcnt=0) 0xae5833af
# access-list R1_traffic; 2 elements; name hash: 0xaf40d3c2
# access-list R1_traffic line 1
# extended deny tcp 2001:db8:0:3::/64 eq telnet 2001:fc8:0:4::/64 eq www
# log errors interval 300 (hitcnt=0) 0x4a4660f3
# access-list R1_traffic line 2
# extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet
# inactive (hitcnt=0) (inactive) 0xe922b432
# access-list temp_access; 2 elements; name hash: 0xaf1b712e
# access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www
# log default (hitcnt=0) 0xb58abb0d
# access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp (hitcnt=0) (inactive) 0xcd6b92ae
- name: Gather listed ACLs with provided configurations
cisco.asa.asa_acls:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "any": true
# },
# "grant": "permit",
# "line": 1,
# "log": "disable",
# "protocol": "icmp",
# "source": {
# "any": true
# }
# },
# {
# "destination": {
# "any": true,
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "any": true
# }
# }
# ],
# "acl_type": "extended",
# "name": "global_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "errors",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# }
# },
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "R1_traffic"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "inactive": true,
# "line": 2,
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# },
# "time_range": "temp"
# }
# ],
# "acl_type": "extended",
# "name": "temp_access"
# }
# ]
# }
# ]
# Using Rendered
- name: Rendered the provided configuration with the exisiting running configuration
cisco.asa.asa_acls:
config:
acls:
- name: temp_access
acl_type: extended
aces:
- grant: deny
line: 1
protocol_options:
tcp: true
source:
address: 192.0.2.0
netmask: 255.255.255.0
destination:
address: 192.0.3.0
netmask: 255.255.255.0
port_protocol:
eq: www
log: default
- grant: deny
line: 2
protocol_options:
igrp: true
source:
address: 198.51.100.0
netmask: 255.255.255.0
destination:
address: 198.51.110.0
netmask: 255.255.255.0
time_range: temp
- name: R1_traffic
aces:
- grant: deny
protocol_options:
tcp: true
source:
address: 2001:db8:0:3::/64
port_protocol:
eq: www
destination:
address: 2001:fc8:0:4::/64
port_protocol:
eq: telnet
inactive: true
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "access-list temp_access line 1
# extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0
# eq www log default"
# "access-list temp_access line 2
# extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0
# time-range temp"
# "access-list R1_traffic
# deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive"
# ]
# Using Parsed
# parsed.cfg
#
# access-list test_access; 2 elements; name hash: 0xaf1b712e
# access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 192.0.3.0 255.255.255.0 eq www log default
# access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors
# access-list test_R1_traffic; 1 elements; name hash: 0xaf40d3c2
# access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive
- name: Parse the commands for provided configuration
cisco.asa.asa_acls:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "acls": [
# {
# "aces": [
# {
# "destination": {
# "address": "192.0.3.0",
# "netmask": "255.255.255.0",
# "port_protocol": {
# "eq": "www"
# }
# },
# "grant": "deny",
# "line": 1,
# "log": "default",
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "192.0.2.0",
# "netmask": "255.255.255.0"
# }
# },
# {
# "destination": {
# "address": "198.51.110.0",
# "netmask": "255.255.255.0"
# },
# "grant": "deny",
# "line": 2,
# "log": "errors",
# "protocol": "igrp",
# "protocol_options": {
# "igrp": true
# },
# "source": {
# "address": "198.51.100.0",
# "netmask": "255.255.255.0"
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_access"
# },
# {
# "aces": [
# {
# "destination": {
# "address": "2001:fc8:0:4::/64",
# "port_protocol": {
# "eq": "telnet"
# }
# },
# "grant": "deny",
# "inactive": true,
# "line": 1,
# "protocol": "tcp",
# "protocol_options": {
# "tcp": true
# },
# "source": {
# "address": "2001:db8:0:3::/64",
# "port_protocol": {
# "eq": "www"
# }
# }
# }
# ],
# "acl_type": "extended",
# "name": "test_R1_TRAFFIC"
# }
# ]
# }
# ]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The configuration as structured data after module completion. Returned: when changed Sample: “The configuration returned will always be in the same format of the parameters above.” |
|
The configuration as structured data prior to module invocation. Returned: always Sample: “The configuration returned will always be in the same format of the parameters above.” |
|
The set of commands pushed to the remote device Returned: always Sample: [“access-list global_access line 1 extended permit icmp any any log disable”] |
Authors
Sumit Jaiswal (@justjais)