Enable a RESTful ASA API

calendar Oct 8, 2018 · 3 min read · API ASA Cisco IaC Network RESTful  ·
Share on: linkedin copy

Starting from ASA 9.3(2) and onward the 5500-X hardware supports a RESTful API as an additional method for configuration/monitoring ASA hardware. Infrastructure as code as they call it, not anything new but I was reading a post that Ivan Pepelnjak wrote and as he points out there are two types of styles when we are dealing with IaC, the data model or CRUD. When reading information about the ASA RESTful API it was interesting what the ASA falls into, CRUD is the method it uses and although this method works, I have similar feeling to what Ivan posted, it wonders me if this is really a step forward into IaC. In this post we'll go through the steps to enable it and you can be the judge, does this RESTful API help?

So the first thing we need to grab the RESTful API application and by default is not included so we'll need to go to cisco.com and download it.  You need look for the Adaptive Security Appliance REST API Plugin and depending on your version of ASA there might be some gotchas on which versions to use so read the release notes. Once we you have the correct version downloaded you need to upload it to the ASA flash. Once uploaded you have to specify the location of the REST API Plugin:

 1ASA-HA-1(config)# rest-api image flash:asa-restapi-132325-lfbff-k8.SPA
 2Computed Hash   SHA2: 2106d6ac8c4e3c181c4820fb46588b8c
 3                      e104712e13fb783ad8f051e905c21330
 4                      0ad66d0e96a6f050805e1e7dc173f187
 5                      211c87db0c2d440da2e2d8614a210e4c
 6
 7Embedded Hash   SHA2: 2106d6ac8c4e3c181c4820fb46588b8c
 8                      e104712e13fb783ad8f051e905c21330
 9                      0ad66d0e96a6f050805e1e7dc173f187
10                      211c87db0c2d440da2e2d8614a210e4c
11
12Digital signature validated successfully
13ASA-HA-1(config)#

After that you can enable the REST API:

1ASA-HA-1(config)# rest-api agent\[/code\]

Once enabled if you have ASDM enabled then the HTTP service is running if not you have to enable the HTTP server as well as configure a management rule to tell what interface you will be connecting to.

1http server enable
2http 0.0.0.0 0.0.0.0

After that you can browse to the following link: https://ASAIP/doc/

You will get prompt to login with a username and password, so make sure the authentication is configured on the ASA. If you have login successfully you will see a webpage like this:

From here you can explore the different HTTP requests that are available and you essentially have another way of configuring and monitoring your ASA. So back my question does this type of RESTful API help you? I have explored this and have used Postman for my poor mans "IaC" but does that count, I feel something is missing? In the end it's still a process that runs and instead of running this via CLI its a CRUD API... - Ryan