Cisco ASA REST API Cisco Modeling Labs

The crazy thing is Cisco requires you to have a service contract to download the Rest api file Which I would expect to be a free download no contract required. I thought I was out of luck in Cisco Modeling Labs. Turns out it is there already which is really awesome. Besides the Asa you can also use the REST API in CSR1000V which should be builtin, but I could be wrong haven’t tested it yet. The IOS XRv images in CML seem to only support XML API.

Anyway if your not familiar with the REST API it uses the HTTP protocol to retrieve and set information. This was traditionally used to pull info from web services, and do all kinds of other neat things. Nowadays with stuff like RESTCONF we can use REST API to configure and setup network devices. You can do things like run a script in a language such as Perl or Python, to setup switches out of the box using RESTCONF. For now I will be showing setup of REST API on Asa.

First step just choose the asa image in CML and load it once you do your basic config such as setting interfaces up and management IP. Proceed to run the command below to install REST API.

Cisco has a guide going over enabling it What I did was just enable the management interface as shown below. The no management-only makes it so I can access this interface from outside. And I also set security-level to 100.

Next commands enable http server and management access. The cisco guide shows them creating a static route from management to gateway ip address <gwip> 1. Final commands to run is aaa ones to enable http access using local database, creating test user, and then rest-api agent which install the rest api.

interface Mangement0/0
 no management-only
 nameif management
 security-level 100
 ip address

http server enable
http management
aaa authentication http console LOCAL
username restapi password tester25 privilege 15

rest-api agent

Once you have done this you are ready to test. Be sure to use the CML external connector which is bridged to your environment. I’m using ESXI so I had to actually set the VM network Ext-conn-0 is connected to in Esxi to use promiscous, and forged transmits. Of course you also need to setup the connector interface through the CML management interface Web GUI (not the GUI used to do labs). Anyway there are countless resources going over how to set that up.

Also keep in mind that internally it uses port 8111. You would still use 443 on your client browser to issue REST stuff. Just something to keep in mind; maybe you have multiple contexts, different setup, and will end up having to troubleshoot some internal ASA routing issues.

To test open a web browser on your client and go to https://asaip/api/objects/networkobjects if it pulls up your good there is a builtin API doc proceed to go to https://asaip/doc/ make sure to have that ending slash / in there once you login you will see the API doc in here you can see examples use export operation in and specify what format you want perl, python, and javascript are available.

I followed this guide for an example to try in python. It didn’t work however I noticed the API DOC example used user-agent REST API Agent once added it worked.

Here we can see the API response. What is cool about this is we now are able to use REST API to do further things like RESTCONF. And with Cisco’s APIC ACI we can actually have Software Defined Networking going on. Imagine in your Enterprise you have your ERP software actually speaking to your Cisco APIC ACI northbound telling it hey we are having way more users using this service over VPN. Cisco APIC ACI then responds through southbound APIs using the REST API to tell your ASA’s to provision another ASA into a cluster to handle more VPN users. Another idea is using SDN to get another subscription to handle more VPN users. Once that goes down you can switch over to the VPN users license subscription you were using earlier.

Software Defined Networking is amazing. I am already imagining possibilities where Applications in your environment will be able to schedule, more bandwidth from your ISP. Of course you will want to set limits to how much can be asked for, and what to go back to. We are still pretty far out from this happening at your typically small to medium sized organizations. I am thinking maybe Cell phone providers will be doing something like this, with cell phone users. They have been pushing the NFV network function virtualization in their networks. For now we can look to companies in big cloud datacenters like Netflix, using SDN and other technology to automatically provision less or more resources depending on current viewership.

Leave a Reply

Your email address will not be published. Required fields are marked *