Enable a RESTful ASA API

close up photography of sleeping tabby cat Starting from ASA 9.3(2) and onward the 5500-X hardware supports a RESTful API as an additional method for configuration/monitoring ASA hardware. Infrastructure as code as they call it, not anything new but I was reading a post that wrote and as he points out there are two types of styles when we are dealing with IaC, the data model or CRUD. When reading information about the ASA RESTful API it was interesting what the ASA falls into, CRUD is the method it uses and although this method works, I have similar feeling to what Ivan posted, it wonders me if this is really a step forward into IaC. In this post we’ll go through the steps to enable it and you can be the judge, does this RESTful API help?

So the first thing we need to grab the RESTful API application and by default is not included so we’ll need to go to cisco.com and download it.¬† You need look for the Adaptive Security Appliance REST API Plugin and depending on your version of ASA there might be some gotchas on which versions to use so read the release notes. Once we you have the correct version downloaded you need to upload it to the ASA flash.

Once uploaded you have to specify the location of the REST API Plugin:

ASA-HA-1(config)# rest-api image flash:asa-restapi-132325-lfbff-k8.SPA
Computed Hash   SHA2: 2106d6ac8c4e3c181c4820fb46588b8c
                      e104712e13fb783ad8f051e905c21330
                      0ad66d0e96a6f050805e1e7dc173f187
                      211c87db0c2d440da2e2d8614a210e4c

Embedded Hash   SHA2: 2106d6ac8c4e3c181c4820fb46588b8c
                      e104712e13fb783ad8f051e905c21330
                      0ad66d0e96a6f050805e1e7dc173f187
                      211c87db0c2d440da2e2d8614a210e4c

Digital signature validated successfully
ASA-HA-1(config)#

After that you can enable the REST API:

ASA-HA-1(config)# rest-api agent

Once enabled if you have ASDM enabled then the HTTP service is running if not you have to enable the HTTP server as well as configure a management rule to tell what interface you will be connecting to.

http server enable
http 0.0.0.0 0.0.0.0

After that you can browse to the following link:

https://ASAIP/doc/

You will get prompt to login with a username and password, so make sure the authentication is configured on the ASA.

If you have login successfully you will see a webpage like this:

ASA-API
ASA RESTful API

From here you can explore the different HTTP requests that are available and you essentially have another way of configuring and monitoring your ASA. So back my question does this type of RESTful API help you? I have explored this and have used Postman for my poor mans “IaC” but does that count, I feel something is missing? In the end it’s still a process that runs and instead of running this via CLI its a CRUD API…

– Ryan

Advertisements

Leave a Reply...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s