Ansible Cisco ASA backup

Share this post on:

Introduction

The following Ansible playbook connects to the ASA firewall, authenticates with SSH key and creates a backup of running configuration.

Generating a pair of SSH keys:

Many tutorials show how to authenticate Ansible with the networking device with saved credentials (usually in group_vars yaml file) which is not very secure (even if it’s been encrypted with Ansible Vault). Much better solution is to create and export SSH key to the desired device.

On Ansible jump host, run the following command:

[root@centos /]# ssh-keygen -t rsa

Follow the prompt until you’ve created the rsa-keys:

Generating public/private rsa key pair.
 Enter file in which to save the key (/root/.ssh/id_rsa): /private_keys/id_rsa
 Enter passphrase (empty for no passphrase):
 Enter same passphrase again:
 Your identification has been saved in /private_keys/id_rsa.
 Your public key has been saved in /private_keys/id_rsa.pub.
 The key fingerprint is:
 SHA256:qmU77byrkE6jvHTnZUbyE7ioIcMQXw/bj4hEr5CJN6g root@centos.kuligowski.co.uk
 The key's randomart image is:
 +---[RSA 3072]----+
 |                 |
 |                 |
 |. . o            |
 |.B o = .         |
 |B = o = S        |
 |++ + + O .       |
 |E.= O B.B        |
 | = B O.*..       |
 |  =.o ++=o       |
 +----[SHA256]-----+

Copy the public key to Cisco ASA:

[root@centos /]# cat /private_keys/id_rsa.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEzd8VhNiRmCkYOxxmUYOd+JkKLAMAzxRUsqoQ0fUEgxqPAQ1vozj3Cb50PS8dMvpQJ26D+PsH6ddC0H1WLuTLb8YaG8822XghpYnt4SHyBw0IQWFLcZExfnus5s4HroWxc1xhcZRFA4SW+/RIj4+Mv1XLAlawmaF4EzaA4/ccMbp4857FSil+e89CiPviAT7BO2lQYJS5HTtDs2F4OioLNQjJRa/bnYAkVwkVeha2gLt59ZXfjq+Onkww/f++kWYFi6V86az/8yzFcjBWHrA8Q/ygNSorOK+H9EOyiPEmWFOet0u+59ZoxPzU9VV7fAaIIonDi/L8oqmQ6okexd/qNtRMvyX50775PjTaukaCUHb6kL9qUy/zG2dLJgTfRk0KPnsT51/gscrJqzjGt4manN4jOqN8TcR2TWhkv+z69LE759xHz+kMIpypYKTqBES2Wb6rnY6gaiMscbz4UwcMNzCHzder31lMFQytQKCXPjdJ2YWxQ1yy1S3wm+d338jmfoE=

Login to Cisco ASA, amend user attributes and paste the public key:

asa-greatdenham-fw(config-username)# username cisco attributes
 asa-greatdenham-fw(config-username)#
 asa-greatdenham-fw(config-username)# ssh
 asa-greatdenham-fw(config-username)# ssh pu
 asa-greatdenham-fw(config-username)# ssh pubkey-chain ?
 configure mode commands/options:
   
 asa-greatdenham-fw(config-username)# ssh auth
 asa-greatdenham-fw(config-username)# ssh authentication ?
 username mode commands/options:
   pkf        Import an SSH public key formatted file from the terminal
   publickey  Specifies that SSH-RSA public key authentication can be used
 asa-greatdenham-fw(config-username)# ssh authentication pu
 asa-greatdenham-fw(config-username)# ssh authentication publickey ?
 username mode commands/options:
   WORD  Raw SSH-RSA public key <--------- PASTE YOUR PUBLIC KEY HERE

Ansible Host file

Let’s add our firewall to the host file and tell what user to use:

[root@centos /]# vi /etc/ansible/hosts

[asa]
 asa.fqdn.net ansible_network_os=asa ansible_ssh_user=cisco

Ansible playbook

Let’s create the actual playbook. Basically it does 3 things, connects to the device, does ‘show run’ and assigns to the variable, saves the variable to the file.

---
- name: Backup Cisco ASA configuration to file

  hosts: asa.kuligowski.co.uk
  connection: local
  gather_facts: no
  tasks:
    - name: "Show the ASA version"

      asa_command:
        commands:
          - show run
      register: output
    - debug: var=output.stdout_lines

    - name: "Save Config"

      copy:
        content: "{{ output.stdout[0] }}"
        dest: "/backups/asa_{{ inventory_hostname }}.txt"

Executing the playbook

[root@centos /]# ansible-playbook /etc/ansible/playbooks/asa.yaml

PLAY [Backup Cisco ASA configuration to file] ***********************************************************************************************************************************************************************************

TASK [Show the ASA version] *****************************************************************************************************************************************************************************************************
[DEPRECATION WARNING]: Distribution centos 8.3.2011 on host asa.kuligowski.co.uk should use /usr/libexec/platform-python, but is using /usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible
release will default to using the discovered platform python for this host. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. This feature will be removed in
version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [asa.kuligowski.co.uk]

TASK [Save Config] **************************************************************************************************************************************************************************************************************
ok: [asa.kuligowski.co.uk]

PLAY RECAP **********************************************************************************************************************************************************************************************************************
asa.kuligowski.co.uk       : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Running playbook as a cronjob

Edit crontab jobs and add following entry:

[root@centos /]# crontab -e

* * * 7 /usr/bin/ansible-playbook /etc/ansible/playbooks/asa.yaml