14 Nov

Cisco ASA REST API – Lab topology and programming language

First published: 31/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.2.2

Before we start using Cisco ASA REST API let’s get familiar with network topology that will be used in chapters.

screen-shot-2016-11-01-at-22-24-21

Whole simulation is run on Cisco VIRL installed as VMWare VM and is using included ASAv and lxc-sshd images. VIRL is cheap and provide us wide range of virtual devices we can choose from for our simulation. ASAv is running image 9.5(2)204 which has preinstalled ASDM 7.5(2) and REST API version  1.2.2.200.

For your convenience the topology and all scripts will be available on GitHub Repository

Interfaces

Interface configuration is using addressing approach known from CCIE labs – each device has unique number. Third octet of link IP address consist of node number from both ends starting with lower one, last octet is device number. All link addresses are from 10.0.0.0/8 network block (subnetted to /24 each) using 0 on second octet for link between firewalls and 100 on links to lxc hosts. Management interfaces are from network 172.16.1.0/24.

Static routing is configured on this stage providing proper connectivity. Path from lxc-sshd-5 to lxc-sshd-7 is via asav-2 while path from lxc-sshd-6 to lxd-sshd-8 is via asav-3.

Login to all devices is ‘cisco’ with password ‘cisco’.

asav-1  show interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.0.12.1       YES CONFIG up                    up  
GigabitEthernet0/1         10.0.13.1       YES CONFIG up                    up  
GigabitEthernet0/2         10.100.15.1     YES CONFIG up                    up  
GigabitEthernet0/3         10.100.16.1     YES CONFIG up                    up  
Management0/0              172.16.1.51     YES CONFIG up                    up

asav-2  show interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.0.12.2       YES CONFIG up                    up  
GigabitEthernet0/1         10.0.24.2       YES CONFIG up                    up  
Management0/0              172.16.1.52     YES CONFIG up                    up

asav-3  show interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.0.34.3       YES CONFIG up                    up  
GigabitEthernet0/1         10.0.13.3       YES CONFIG up                    up  
Management0/0              172.16.1.53     YES CONFIG up                    up

asav-4  show interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.0.34.4       YES CONFIG up                    up  
GigabitEthernet0/1         10.0.24.4       YES CONFIG up                    up  
GigabitEthernet0/2         10.100.47.4     YES CONFIG up                    up  
GigabitEthernet0/3         10.100.48.4     YES CONFIG up                    up  
Management0/0              172.16.1.54     YES CONFIG up                    up

 Management network

My VIRL is connected to dedicated segment of my home network so it’s accessible not only from computer where I ran VIRL – that helps when I want to test something remotely. Flat-1 network (eth1 interface) is bridged on dedicated NIC on my PC which is connected to my switch and firewall on dedicated VLAN. It’s using predefined VIRL subnet 172.16.1.0/24. Firewall has IP address of 172.16.1.1, VIRL host has IP 172.16.1.254, rest of devices have management IP addresses statically configured in topology so they don’t change. I Topology management network is set to ‘Shared flat network’ so with configured bridging it’s externally accessible..I’ve modified VIRL configuration a little so not whole subnet is used for dynamic allocation for nodes.

Management IP addresses are as below

Device Management IP
mgmt-lxc 172.16.1.48
asav-1 172.16.1.51
asav-2 172.16.1.52
asav-3 172.16.1.53
asav-4 172.16.1.54
lxc-sshd-5 172.16.1.55
lxc-sshd-6 172.16.1.56
lxc-sshd-7 172.16.1.57
lxc-sshd-8 172.16.1.58

To make it work of course routing myst be configured so node configuration for AutoNetkit has been updated by following command added in ‘Global’ field of ‘Custom Configuration’.

 route mgmt 192.168.1.0 255.255.255.0 172.16.1.1 

Default routing on LXC servers is automatically set to gateway IP address of Flat-1 network so we only add routing to 10.0.0.0/8 that will point to eth1 interface. On lxc-ssd-5 script generated by AutoNetkit have to be amended as below

- path: /etc/rc.local
owner: root:root
permissions: '0755'
content: |-
#!/bin/sh
ifconfig eth1 up 10.100.16.6 netmask 255.255.255.0
route add -net 10.0.0.0/8 gw 10.100.16.1
exit 0

Additional ASA configuration

But we want to have working lab from first AutoNetkit run without need of adding commands later, or worse after every simulation restart. So I’ve added following connands to ‘Global’ field of ‘Custom Configuration’ section on each ASAv

rest-api image boot:/asa-restapi-122200-lfbff-k8.SPA
rest-api agent
asdm image boot:/asdm-75269.bin
asdm history enable
logging buffered debugging
logging asdm informational
aaa authentication http console LOCAL

With that we define REST API image and enable REST API itself, add ASD configuration, logging and AAA authentication required by REST API.

 

Why Perl?

When it comes to programming it’s not just knowing the syntax and rules of each language but rather to think more algorithmic ways how to solve the problem than dumbly write down tons of code because you know the syntax. I’ve started my journey with programming when I was 14 years old by learning C language first on DOS then on Linux platform. At some point I even thought that maybe being a programmer is my career. So for next about 10 years I’ve been using bash, a little of perl, PHP, VisualBasic, C, C++, C# and Java. Maybe not impressive list and I never mastered any of those languages but major lesson I was taught since very beginning (thanks to passionate teacher I had) is that no matter what language I’m using what most matters is how I think about solving the problem and writing procedures. I may forgot syntax and rules of each of the language but the learned principle has resulted in a number of times on various projects.

As you remember from previous chapter there are three standardized programming languages we can user as clients to REST API. Those are Python, JavaScript and Perl. Now why I decided that I’ll use Perl? First of all I don’t know Python so that was easy exclusion. JavaScript is not I’ve been using in the past, I was more focused on Java applications, and I’m not fan of JavaScript so Perl was the only option.

Using the best practice I will try to create all applications as modular as possible. We will reuse the subroutines in many examples.

Leave a Reply

%d bloggers like this: