Cisco ASA

Overview


Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects. This integration was integrated and tested with version 9.12(3) of Cisco ASA

Use Cases


Configure Cisco ASA on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cisco ASA.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1)
    • Credentials
    • Use system proxy settings
    • Trust any certificate (not secure)
    • is ASAv
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. cisco-asa-list-rules 2. cisco-asa-backup 3. cisco-asa-get-rule-by-id 4. cisco-asa-create-rule 5. cisco-asa-delete-rule 6. cisco-asa-edit-rule 7. cisco-asa-list-network-objects 8. cisco-asa-create-network-object 9. cisco-asa-list-interfaces

1. cisco-asa-list-rules


Gets a list all rules for the supplied interface.

Base Command

cisco-asa-list-rules

Input
Argument NameDescriptionRequired
interface_nameThe name of the interface from which to get rules.Optional
interface_typeThe interface type. Can be "In", "Out", or "Global"Optional
Context Output
PathTypeDescription
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
Command Example

!cisco-asa-list-rules interface_type="Global"

Context Example
{
"CiscoASA.Rules": [
{
"SourceService": "tcp",
"DestService": "tcp",
"Source": "Windows10",
"Dest": "2.2.2.2",
"Remarks": [],
"InterfaceType": "Global",
"Permit": true,
"Interface": null,
"Position": 1,
"ID": "924049783",
"IsActive": true
},
{
"SourceService": "ip",
"DestService": "ip",
"Source": "1.1.1.1",
"Dest": "2.2.2.2",
"Remarks": [],
"InterfaceType": "Global",
"Permit": false,
"Interface": null,
"Position": 2,
"ID": "3156543720",
"IsActive": true
}
]
}
Human Readable Output

Rules:

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServicedestService
924049783Windows102.2.2.2trueGlobaltrue1tcp
31565437201.1.1.12.2.2.2falseGlobaltrue2ip

2. cisco-asa-backup


Creates a backup of the current settings (i.e., the backup.cfg file).

Base Command

cisco-asa-backup

Input
Argument NameDescriptionRequired
backup_nameThe name of the backup.Required
passphrasePassphrase for backup.Optional
Context Output

There is no context output for this command.

Command Example

Human Readable Output

3. cisco-asa-get-rule-by-id


Gets a specific rule by rule ID.

Base Command

cisco-asa-get-rule-by-id

Input
Argument NameDescriptionRequired
rule_idThe rule ID.Required
interface_nameThe name of the interfaceOptional
interface_typeThe interface type. Can be "In", "Out", or "Global".Required
Context Output
PathTypeDescription
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
Command Example

!cisco-asa-get-rule-by-id rule_id=3156543720 interface_type=Global

Context Example
{
"CiscoASA.Rules": [
{
"Dest": "2.2.2.2",
"DestService": "ip",
"ID": "3156543720",
"Interface": "",
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 2,
"Remarks": [],
"Source": "1.1.1.1",
"SourceService": "ip"
}
]
}
Human Readable Output

Rule 3156543720:

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServicedestService
31565437201.1.1.12.2.2.2falseGlobaltrue2ip

4. cisco-asa-create-rule


Creates a rule.

Base Command

cisco-asa-create-rule

Input
Argument NameDescriptionRequired
sourceThe source. Can be the value of an IPv4, an address block, or the name of a network object. object.Required
destinationThe destination. Can be the value of an IPv4, an address block, or the name of a network object. object.Required
permitWhether the rule is a permit. If True, the rule is a permit.Required
remarksA list of remarks for the rule.Optional
positionThe position in which to create the rule.Optional
log_levelThe log level of the rule. Can be "Default", "Emergencies", "Alerts", "Critical", "Errors", "Warnings", "Notifications", "Informational", or "Debugging".Optional
activeWhether the rule will be active. If True, the rule will be active.Optional
interface_typeThe interface type. Can be "In", "Out", or "Global".Required
interface_nameThe interface name.Optional
serviceThe service of the rule.Optional
Context Output
PathTypeDescription
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
Command Example

!cisco-asa-create-rule destination=4.4.4.4 interface_type=Global permit=False source=2.2.2.2

Context Example
{
"CiscoASA.Rules": [
{
"Dest": "4.4.4.4",
"DestService": "ip",
"ID": "507330730",
"Interface": "",
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 4,
"Remarks": [],
"Source": "2.2.2.2",
"SourceService": "ip"
}
]
}
Human Readable Output

Created new rule. ID: 507330730

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServicedestService
5073307302.2.2.24.4.4.4falseGlobaltrue4ip

5. cisco-asa-delete-rule


Deletes a rule.

Base Command

cisco-asa-delete-rule

Input
Argument NameDescriptionRequired
rule_idThe rule ID.Required
interface_nameThe name of the interface.Optional
interface_typeThe interface type. Can be "In", "Out", or "Global".Required
Context Output

There is no context output for this command.

Command Example

!cisco-asa-delete-rule interface_type=Global rule_id=507330730

Human Readable Output

Rule 507330730 deleted successfully.

6. cisco-asa-edit-rule


Updates an existing rule.

Base Command

cisco-asa-edit-rule

Input
Argument NameDescriptionRequired
interface_typeThe interface type. Can be "In", "Out", or "Global".Required
interface_nameThe interface name.Optional
rule_idThe rule ID.Required
activeWhether the rule will be active. If True, the rule will be active.Optional
log_levelThe log level of the rule. Can be "Default", "Emergencies", "Alerts", "Critical", "Errors", "Warnings", "Notifications", "Informational", or "Debugging".Optional
positionThe position the rule will be in.Optional
remarksA list of remarks for the rule.Optional
permitWhether the rule is a permit. If True, the rule is a permit.Optional
destinationThe destination. Can be the value of an IPv4, an address block, or the name of a network object.Optional
sourceThe source. Can be the value of an IPv4, an address block, or the name of a network object. object.Optional
serviceThe service of the rule.Optional
Context Output
PathTypeDescription
CiscoASA.Rules.SourceStringThe rule's source.
CiscoASA.Rules.DestStringThe rule's destination.
CiscoASA.Rules.InterfaceTypeStringThe interface type. Can be "In", "Out", or "Global".
CiscoASA.Rules.IsActiveBooleanWhether the rule is active.
CiscoASA.Rules.InterfaceStringThe name of the interface.
CiscoASA.Rules.PositionNumberThe position of the rule.
CiscoASA.Rules.IDStringThe rule ID.
CiscoASA.Rules.RemarksUnknownA list of all rule remarks.
CiscoASA.Rules.PermitBooleanWhether the rule permits traffic from source to destination.
CiscoASA.Rules.DestServiceStringThe destination service.
CiscoASA.Rules.SourceServiceStringThe source service.
Command Example

!cisco-asa-edit-rule interface_type=Global rule_id=1536327057

Context Example

{
"CiscoASA.Rules": [
{
"Dest": "4.4.4.4",
"DestService": "ip",
"ID": "1536327057",
"Interface": "",
"InterfaceType": "Global",
"IsActive": true,
"Permit": false,
"Position": 3,
"Remarks": [
"Wow"
],
"Source": " 1.1.1.1",
"SourceService": "ip"
}
]
}
Human Readable Output

Edited rule 1536327057

IDSourceDestPermitInterfaceInterfaceTypeIsActivePositionSourceServicedestService
15363270571.1.1.14.4.4.4falseGlobaltrue3ip

7. cisco-asa-list-network-objects


Gets a list all configured network objects.

Base Command

cisco-asa-list-network-objects

Input
Argument NameDescriptionRequired
object_nameA comma-separated list of network object names for which to get the network.Optional
object_idA comma-separated list of object IDs for which to get the network object.Optional
Context Output
PathTypeDescription
CiscoASA.NetworkObject.IDStringThe ID of the network object.
CiscoASA.NetworkObject.HostStringThe host information of the network object.
CiscoASA.NetworkObject.DescriptionStringA description of the network object, if exists.
CiscoASA.NetworkObject.NameStringThe name of the network object.
Command Example

!cisco-asa-list-network-objects

Context Example
{
"CiscoASA.NetworkObject(val.ID == obj.ID)": [
{
"Host": {
"kind": "IPv4Address",
"value": "1.1.1.1"
},
"ID": "ASA_Demo_NObj_1190",
"Name": "ASA_Demo_NObj_1190"
},
{
"Description": "Cisco ASA",
"Host": {
"kind": "IPv4Address",
"value": "8.8.8.8"
},
"ID": "CiscoASA",
"Name": "CiscoASA"
}
]
}
Human Readable Output

Network Objects

IDNameHostDescription
ASA_Demo_NObj_1190ASA_Demo_NObj_1190kind: IPv4Address
value: 1.1.1.1
CiscoASACiscoASAkind: IPv4Address
value:8.8.8.8.
Cisco ASA

8. cisco-asa-create-network-object


Creates network object.

Base Command

cisco-asa-create-network-object

Input
Argument NameDescriptionRequired
object_typeThe type of network object to create.Required
object_nameThe name of the object to create.Required
object_valueThe value of the network object to create.Required
Context Output
PathTypeDescription
CiscoASA.NetworkObject.IDStringThe ID of the network object.
CiscoASA.NetworkObject.HostStringThe host information of the network object.
CiscoASA.NetworkObject.DescriptionStringA description of the network object, if exists.
CiscoASA.NetworkObject.NameStringThe name of the network object.
Command Example

!cisco-asa-create-network-object object_name="Object" object_type="IPv4" object_value="1.1.1.1" debug-mode=true

Context Example
{
"CiscoASA.NetworkObject": [
{
"Host": {
"kind": "IPv4Address",
"value": "1.1.1.1"
},
"ID": "Object",
"Name": "Object"
}
]
}
Human Readable Output

Network Objects

IDNameHostDescription
ObjectObjectkind: IPv4Address
value: 1.1.1.1

9. cisco-asa-list-interfaces


Gets a list of all interfaces.

Base Command

cisco-asa-list-interfaces

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
CiscoASA.Interface.IDStringThe interface ID.
CiscoASA.Interface.NameStringThe inteface name.
CiscoASA.Interface.TypeStringThe interface type. Can be "In", "Out", or "Global".
Command Example

!cisco-asa-list-interfaces

Context Example
{
"CiscoASA.Interface": [
{
"ID": "-1",
"Name": null,
"Type": "Global"
},
{
"ID": "GigabitEthernet0_API_SLASH_0",
"Name": "INSIDE",
"Type": "In"
}
]
}
Human Readable Output

Interfaces

TypeIDName
Global-1
InGigabitEthernet0_API_SLASH_0INSIDE