The integration of Ansible into the management of Cisco Adaptive Security Appliances (ASA) represents a fundamental shift from manual, CLI-driven configuration to a modern Infrastructure as Code (IaC) paradigm. By leveraging the idempotent nature of Ansible, network engineers can eliminate the risks associated with manual entry, ensure configuration consistency across multiple firewall clusters, and accelerate the deployment of security patches and policy changes. This technical deep dive explores the comprehensive methodology for deploying, managing, and extending the automation capabilities of Cisco ASA devices, ranging from the use of the community-supported collections to the orchestration of REST API deployments.
Architectural Fundamentals of ASA Automation
To automate a Cisco ASA device, one must understand the primary communication pathways available. The most common method involves the use of the network_cli connection plugin, which allows Ansible to emulate a terminal session over SSH. This approach is highly advantageous because it does not require the activation of the REST API, the installation of the Adaptive Security Device Manager (ASDM), or a connection to the Cisco Firepower Management Center (FMC).
The technical requirement for this method is simply a Linux workstation with an Ansible client installed and a Cisco ASA device running a compatible software version, such as Version 9.9(2). For hardware specifically, the ASA 5506 series, including those utilizing FirePOWER Services Software Modules, is fully compatible with this automation flow.
The real-world impact of this architecture is a significant reduction in the "attack surface" required for management. Because the administrator does not need to enable additional services like the REST API to perform basic configuration changes, the device remains more secure. This connects directly to the inventory configuration where ansible_connection = network_cli is specified, telling Ansible to treat the ASA as a network device rather than a standard Linux server.
The community.asa Ansible Collection
The community.asa collection is the primary repository of plugins and modules designed specifically for Cisco ASA hosts. This collection abstracts the complex CLI commands into structured YAML modules, allowing users to manage firewall objects, access lists, and system settings without writing raw Cisco IOS/ASA syntax.
Installation and Setup Procedures
The collection must be installed on the Ansible control node before it can be utilized in any playbook. This is achieved through the ansible-galaxy command-line interface.
Installation via direct CLI:
ansible-galaxy collection install community.asaInstallation via a requirements file:
Users can define arequirements.ymlfile to ensure environment consistency across different teams or CI/CD pipelines. The format for this file is:
```yaml
collections:- name: community.asa
``To execute the installation from this file, the following command is used:ansible-galaxy collection install -r requirements.yml`
The technical necessity of using a requirements.yml file lies in version control and reproducibility. In a professional DevOps pipeline, this ensures that every engineer is using the exact same version of the community.asa tools, preventing "it works on my machine" scenarios.
Collection Development and Testing
For advanced users or contributors who wish to improve the community.asa collection, the recommended workflow involves cloning the repository into one of the configured COLLECTIONS_PATHS. This allows for local modification and immediate testing of new modules.
To maintain the integrity of the collection, a rigorous testing suite is provided in the tests directory, which utilizes ansible-test. These tests ensure that changes do not break existing functionality through sanity checks and integration tests.
Running sanity tests via Docker:
ansible-test sanity --dockerRunning network integration tests:
ansible-test network-integration --inventory /path/to/inventory tests_to_run
The process of publishing these updates to Ansible Galaxy is currently a manual operation. It requires a user with specific access permissions to the community namespace. The publication workflow involves:
1. Updating the galaxy.yml file with the new version number.
2. Creating a release tag in GitHub.
3. Ensuring the CHANGELOG.md is updated with a comprehensive list of changes.
4. Executing the build and publish commands:
ansible-galaxy collection build
ansible-galaxy collection publish ./community-asa-$VERSION_HERE.tar.gz
Configuring the Ansible Environment and Inventory
The inventory file is the heart of the Ansible deployment, as it maps the logical groups of devices to their physical IP addresses and defines the credentials and connection parameters required to establish a session.
Inventory Specification (INV.INI)
In a typical deployment, such as a lab environment involving multiple firewalls, the inventory file (e.g., INV.INI) is structured to separate the host list from the variable definitions.
| Variable | Value/Description | Technical Purpose |
|---|---|---|
ansible_user |
ansible |
The SSH username used to authenticate with the ASA |
ansible_password |
<password> |
The password for the specified SSH user |
ansible_become_method |
enable |
Instructs Ansible to enter privileged mode (enable mode) |
ansible_become_pass |
<password> |
The password required to elevate to enable mode |
ansible_connection |
network_cli |
Specifies the use of the network CLI plugin for SSH communication |
ansible_network_os |
asa |
Tells Ansible the target device is running Cisco ASA software |
The use of ansible_become_method=enable is critical. On a Cisco ASA, most configuration commands require privileged execution mode. Without this setting, Ansible would attempt to run commands in a limited shell, resulting in permission errors.
Host Grouping and Target Examples
A sample inventory for a lab environment might look as follows:
```ini
[firewalls]
192.168.0.102
192.168.0.105
[firewalls:vars]
ansibleuser = ansible
ansiblepassword = yourpassword
ansiblebecomemethod=enable
ansiblebecomepass= yourenablepassword
ansibleconnection = networkcli
ansiblenetwork_os = asa
```
This structure allows the administrator to target all devices in the firewalls group simultaneously, ensuring that a configuration change is pushed to all edge devices in a single execution of the playbook.
Advanced Automation: Deploying the Cisco ASA REST API
While the network_cli is sufficient for basic tasks, deploying the REST API allows for more sophisticated programmatic interactions. Automating the deployment of the REST API itself via Ansible creates a foundation for high-speed, API-driven configuration management.
The Development and Deployment Process
The workflow for deploying the REST API in a test or production environment follows a specific sequence of operations:
1. Build the Ansible Host: Setting up a Linux machine (e.g., CentOS Release 8.1.1911) with Ansible installed.
2. Configure Inventory: Mapping the ASA devices and their credentials.
3. Build YAML Ansible-Playbook: Defining the desired state of the API.
4. Run the Ansible-Playbook: Executing the automation.
Handling File Transfers and Cipher Mismatches
In certain environments, especially virtualized labs like EVE-NG, older versions of the ASA or specific security settings may cause SSH handshake failures due to weak cipher suites. This requires the use of specific SSH options during the file transfer process.
To upload the REST API image (e.g., asa-restapi-7141-lfbff-k8.SPA) to the device's flash storage (disk0:), a bash script combined with sshpass can be used to handle the transfer. This is particularly useful when the environment requires the diffie-hellman-group1-sha1 algorithm.
Example automation script for image upload:
```bash
!/bin/bash
Read Password
echo -n Password:
read -s password
echo
Run Command
echo $password
file=asa-restapi-7141-lfbff-k8.SPA
user=ansible
for device in $(cat device.txt)
do
sshpass -p $password scp -o KexAlgorithms=+diffie-hellman-group1-sha1 -o StrictHostKeyChecking=no $file $user@$device:disk0:$file
done
wait
```
The technical impact of using -o KexAlgorithms=+diffie-hellman-group1-sha1 is that it forces the SSH client to use a legacy key exchange algorithm that the ASA device supports, bypassing the default modern security restrictions of the Linux client that would otherwise terminate the connection.
Operationalizing the Playbook Workflow
The transition from an inventory file to a functioning automation pipeline requires the creation of YAML playbooks. The use of professional text editors such as NotePad++ or Linux-native editors like vim and nano is recommended to ensure correct YAML indentation, as any spacing error will cause the playbook to fail.
The playbook acts as the orchestration layer, calling the modules from the community.asa collection. For instance, a playbook designed to update passwords or push code patches will iterate through the firewalls group defined in the inventory, establish an SSH connection via network_cli, elevate privileges using the enable password, and execute the required configuration changes.
This approach allows for the bulk deployment of updated code and patches across the entire network infrastructure, ensuring that no single firewall is left with an outdated security posture.
Conclusion
The automation of Cisco ASA via Ansible transforms the role of the security administrator from a manual operator to an orchestrator. By utilizing the community.asa collection, administrators can shift from the fragility of manual CLI entry to the stability of version-controlled YAML playbooks. The ability to manage these devices without requiring the REST API or FMC—simply via network_cli—provides a low-barrier entry point for automation. However, for those seeking deeper integration, the ability to automate the deployment of the REST API itself opens the door to high-performance, programmatic firewall management. The combination of strict inventory management, the use of ansible-galaxy for modularity, and a rigorous testing pipeline via ansible-test ensures that security infrastructure remains consistent, scalable, and recoverable.