Ansible Playbook for Cisco ASAv Firewall Topology

---

hostname: asa-1
domain_name: lab.local

interfaces:
0/0:
alias: connection rtr-1 inside
nameif: inside
security_level: 100
address: 10.0.255.1
mask: 255.255.255.0

0/1:
alias: connection rtr-2 outside
nameif: outside
security_level: 0
address: 217.100.100.1
mask: 255.255.255.0

routes:
- route outside 0.0.0.0 0.0.0.0 217.100.100.254 1
  • Hostname: The task in main.yml uses the Ansible module asa_config and configures hostname and domain name.
  • Interfaces: This role uses the Ansible module asa_config to deploy the template interfaces.j2 to configure the interfaces. In the main.yml is a second task to enable the interfaces when the previous template applied the configuration.
  • Routing: Similar to the interfaces role and uses also the asa_config module to deploy the template routing.j2 for the static routes
  • Objects: The first task in main.yml loads the objects.yml from group_vars, the second task deploys the template objects.j2.
  • Object-Groups: Uses same tasks in main.yml and template object-groups.j2 like the objects role but the commands are slightly different.
  • Access-Lists: One of the more complicated roles I needed to work on, in the main.yml are multiple tasks to load variables like in the previous roles, then runs a task to clear access-lists if the variable “override_acl” from access-lists.yml group_vars is set to “true” otherwise it skips the next tasks. When the variable are set to true and the access-lists are cleared it then writes new access-lists using the Ansible module asa_acl and finishes with a task to assigning the newly created access-lists to the interfaces.
  • NAT: This role is again similar to the objects role using a task main.yml to load variable file and deploys the template nat.j2. The NAT role uses object nat and only works if you created the object before in the objects group_vars.
  • Policy-Framework: Multiple tasks in main.yml first clears global policy and policy maps and afterwards recreates them. Similar approach like the access lists to keep it consistent.
---

- hosts: asa-1

connection: local
user: vagrant
gather_facts: 'no'

roles:
- hostname
- interfaces
- routing
- objects
- object-groups
- access-lists
- nat
- policy-framework

--

--

--

Highly versatile Senior technical Lead Engineer, I am a consummate and competent qualified IT Professional specialising in distributed systems

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

PHP vs. NodeJS

PHP vs Nodejs

8 Git Tips To Improve Code Reviewing

People in a meeting

How a Massive UK Game Company is Utilizing TTS AI Voiceovers for Rapid Iteration at a Lower Cost

Hack your Path

Introducing Dippi

String to Char Array Java Tutorial

Program inefficiently

SLOs — A Primer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bernd Malmqvist

Bernd Malmqvist

Highly versatile Senior technical Lead Engineer, I am a consummate and competent qualified IT Professional specialising in distributed systems

More from Medium

Cisco DUO Multi-Factor Authentication with SalesForce

How to setup two factor authentication using DUO security on SSH

Understanding Spring4Shell RCE from an engineer’s perspective (with code)

Remote connect AWS windows EC2 without exposing public IP with Omniedge