2017年7月17日 星期一

Cisco ASA - paramiko is required but does not appear to be installed

最近在試 Cisco ASA 5512X 這個型號,就想說能不能用 Ansible 來管設定,所以就先從簡單的 show version 的指令開始測試。
OS / ENVIRONMENT
macOS Sierra
Version 10.12.5
ANSIBLE VERSION
ansible 2.3.1.0
  config file =
  configured module search path = Default w/o overrides
  python version = 2.7.13 (default, Apr  4 2017, 08:46:44) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
ANSIBLE CONFIGURATION
ansible inventory - hosts
asa           ansible_host=192.168.1.1   
---
- hosts: asa
  connection: local
  gather_facts: yes
  tasks:
    - name: run show version on remoter devices
      asa_command:
        provider:
          host: IP
          username: USERNAME
          password: PASSWORD
          authorize: yes
          auth_pass: PASSWORD
          timeout: 30
        commands:
          - show version
      register: version
    - name: show version
      debug:
        var: version.stdout_lines
      with_items: version.results

STEPS TO REPRODUCE

ansible-playbook -i hosts asa.yml -vvv
No config file found; using defaults

PLAYBOOK: asa.yml *************************************************************************************************
1 plays in asa.yml

PLAY [cisco] ******************************************************************************************************
META: ran handlers

TASK [Show Version] ***********************************************************************************************
task path: /Users/daniel/work/tenmax/lab/asa.yml:6
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/network/asa/asa_command.py
 ESTABLISH LOCAL CONNECTION FOR USER: daniel
 EXEC /bin/sh -c 'echo ~ && sleep 0'
 EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700 `" && echo ansible-tmp-1500340664.8-207253128376700="` echo /Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700 `" ) && sleep 0'
 PUT /var/folders/5w/tkr8l6gn7zs76_8n1z6jg_r80000gn/T/tmpMpIKV3 TO /Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700/asa_command.py
 EXEC /bin/sh -c 'chmod u+x /Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700/ /Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700/asa_command.py && sleep 0'
 EXEC /bin/sh -c '/usr/bin/python /Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700/asa_command.py; rm -rf "/Users/daniel/.ansible/tmp/ansible-tmp-1500340664.8-207253128376700/" > /dev/null 2>&1 && sleep 0'
fatal: [cisco]: FAILED! => {
    "changed": false,
    "failed": true,
    "invocation": {
        "module_args": {
            "auth_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "authorize": true,
            "commands": [
                "show version"
            ],
            "context": null,
            "host": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "interval": 1,
            "match": "all",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": null,
            "provider": {
                "auth_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "authorize": true,
                "host": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "retries": 10,
            "ssh_keyfile": null,
            "timeout": 10,
            "transport": null,
            "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "wait_for": null
        }
    },
    "msg": "paramiko is required but does not appear to be installed.  It can be installed using  `pip install paramiko`"
}
    to retry, use: --limit @/Users/daniel/work/tenmax/lab/asa.retry

PLAY RECAP ********************************************************************************************************
cisco                      : ok=0    changed=0    unreachable=0    failed=1
執行後,會看到有錯誤 
"msg": "paramiko is required but does not appear to be installed.  It can be installed using  `pip install paramiko`"
實際上,我已經裝了,後來詢問谷歌大神後,發現會出現這樣的問題原因是,有可能你的作業系統裡,有安裝多個不同的版本的 Python ,所以要解決這個問題的話,就是去指定你的Pythonn解釋器,目前ansible都還是以Python2.X版的為主,接下來在 inventory file裡面去新增 ansible_python_interpreter,這樣就解決了。
asa           ansible_host=192.168.1.1     ansible_python_interpreter=/usr/bin/python
Reference:
張貼者: 沒有留言:
標籤: , ,

Cisco ASA timeout trying to send command: enable

Same issue here with asa_command

SUMMARY

簡單地說,就是目前還不能用,我已經有發issue給ansible了,詳請可以參考下面的鏈結
ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • asa_command
ANSIBLE VERSION
ansible 2.3.1.0
  config file =
  configured module search path = Default w/o overrides
  python version = 2.7.13 (default, Apr  4 2017, 08:46:44) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
CONFIGURATION
hostsasa ansible_host=192.168.1.1 ansible_python_interpreter=/usr/bin/python 
---
- hosts: asa
  connection: local
  gather_facts: yes
  tasks:
    - name: run show version on remoter devices
      asa_command:
        provider:
          host: IP
          username: USERNAME
          password: PASSWORD
          authorize: yes
          auth_pass: PASSWORD
          timeout: 30
        commands:
          - show version
      register: version
    - name: show version
      debug:
        var: version.stdout_lines
      with_items: version.results
OS / ENVIRONMENT
Darwin Danielde-MacBook-Pro.local 15.6.0 Darwin Kernel Version 15.6.0: Tue Apr 11 16:00:51 PDT 2017; root:xnu-3248.60.11.5.3~1/RELEASE_X86_64 x86_64
STEPS TO REPRODUCE
$ ansible-playbook -i hosts asa.yml -vvv
No config file found; using defaults

PLAYBOOK: asa.yml *************************************************************************************************************
1 plays in asa.yml

PLAY [asa] ********************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<192 .168.1.1=""> ESTABLISH LOCAL CONNECTION FOR USER: daniel
<192 .168.1.1=""> EXEC /bin/sh -c 'echo ~ && sleep 0'
<192 .168.1.1=""> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260 `" && echo ansible-tmp-1500304102.91-122764280426260="` echo /Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260 `" ) && sleep 0'
<192 .168.1.1=""> PUT /var/folders/03/ns9kvh215g12x_h6gyq7f7tr0000gn/T/tmpGAqiRu TO /Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260/setup.py
<192 .168.1.1=""> EXEC /bin/sh -c 'chmod u+x /Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260/ /Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260/setup.py && sleep 0'
<192 .168.1.1=""> EXEC /bin/sh -c '/usr/local/bin/python /Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260/setup.py; rm -rf "/Users/daniel/.ansible/tmp/ansible-tmp-1500304102.91-122764280426260/" > /dev/null 2>&1 && sleep 0'
ok: [asa]
META: ran handlers

TASK [run show version on remoter devices] ************************************************************************************
task path: /Users/daniel/work/lab/asa.yml:6
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/network/asa/asa_command.py
<192 .168.1.1=""> ESTABLISH LOCAL CONNECTION FOR USER: daniel
<192 .168.1.1=""> EXEC /bin/sh -c 'echo ~ && sleep 0'
<192 .168.1.1=""> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732 `" && echo ansible-tmp-1500304104.0-136124011056732="` echo /Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732 `" ) && sleep 0'
<192 .168.1.1=""> PUT /var/folders/03/ns9kvh215g12x_h6gyq7f7tr0000gn/T/tmpdXRCx3 TO /Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732/asa_command.py
<192 .168.1.1=""> EXEC /bin/sh -c 'chmod u+x /Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732/ /Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732/asa_command.py && sleep 0'
<192 .168.1.1=""> EXEC /bin/sh -c '/usr/local/bin/python /Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732/asa_command.py; rm -rf "/Users/daniel/.ansible/tmp/ansible-tmp-1500304104.0-136124011056732/" > /dev/null 2>&1 && sleep 0'
fatal: [asa]: FAILED! => {
    "changed": false,
    "failed": true,
    "invocation": {
        "module_args": {
            "auth_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "authorize": true,
            "commands": [
                "show version"
            ],
            "context": null,
            "host": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "interval": 1,
            "match": "all",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": null,
            "provider": {
                "auth_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "authorize": true,
                "host": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "timeout": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "retries": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "ssh_keyfile": null,
            "timeout": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "transport": null,
            "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "wait_for": null
        }
    },
    "msg": "timeout trying to send command: enable"
}
    to retry, use: --limit @/Users/daniel/work/lab/asa.retry

PLAY RECAP ********************************************************************************************************************
asa                        : ok=1    changed=0    unreachable=0    failed=1
How to fix this issue ?
Reference:
張貼者: 沒有留言:
標籤: , ,

Cisco ASA 5512 設定 DHCP & NAT

顯示目前的interface狀態
ciscoasa# conf t
ciscoasa(config)# show int ip bri
找一個interface當做vlan接口
ciscoasa(config)# int gigabitEthernet 0/5
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
設定 IEEE 802.1Q VLAN Identifier
ciscoasa(config)# interface gigabitEthernet 0/5.200
ciscoasa(config-subif)# vlan 200
ciscoasa(config-subif)# nameif Corp_LAN
ciscoasa(config-subif)# security-level 100
ciscoasa(config-subif)# ip address 192.168.200.254 255.255.255.0
ciscoasa(config-subif)# exit
設定DHCP Server
ciscoasa(config)# dhcpd address 10.10.200.1-10.10.200.250 Corp_LAN
ciscoasa(config)# dhcpd dns 168.95.1.1 8.8.8.8
ciscoasa(config)# dhcpd lease lease_length                      # 預設是3600sec,0 to 1,048,575
ciscoasa(config)# dhcpd domain domain_name
ciscoasa(config)# dhcpd option 3 ip 10.10.200.254(gateway_ip)   # dhcpd option 3 這是定義dhcp client的default gateway
                                                                # 如果不用的話,就會被改用management interface
                                                                # 這interface是不包含DHCP ACK這個選項的
                                                                # 所以不會去幫你做轉送。
ciscoasa(config)# dhcpd enable Corp_LAN                         # 啟用dhcp server
顯示目前的vlan
ciscoasa(config)# show vlan
顯示目前DHCP Server的設定
ciscoasa(config)# show running-config dhcpd
dhcpd option 3 ip 10.10.200.254
!
dhcpd address 10.10.200.1-10.10.200.250 Corp_LAN
dhcpd dns 168.95.1.1 8.8.8.8 interface Corp_LAN
dhcpd enable Corp_LAN
設定ACL - 讓DHCP Client可以正常ping internet
ciscoasa(config)# access-list ACL_OUT permit icmp any any
新增 global_policy
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp 
ciscoasa(config-pmap-c)# inspect icmp error        # Enable NAT on icmp error messages
Reference:
張貼者: 沒有留言:
標籤: ,

2017年7月14日 星期五

Cisco Router 設定 SSH 連線

設定router只允許ssh連線,並使用本地端認証
Test-RTR#conf t
Test-RTR(config)#line vty 0 4
Test-RTR(config)#login local
Test-RTR(config)#transport input ssh
設定Domain Name
Test-RTR(config)#ip domain-name xxx
Cisco Router 產生一把rsa的key
Test-RTR(config)#crypto key generate rsa
The name for the keys will be: Test-RTR.xxx
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
設定SSH Version
Test-RTR(config)#ip ssh version 2
建立使用者及密碼,並做密碼加密
Test-RTR(config)#username admin password 1234567890
Test-RTR(config)#service password-encryption
設定登入特權模式密碼
Test-RTR(config)#enable secret 1234567890
這樣就可以測試登入了
Reference:
張貼者: 沒有留言:
標籤: ,

2017年7月13日 星期四

Cisco ASA 5512 設定及備份

 備份
  • Cisco Router 透過usb備份的話,是用 copy running-config usbflash1: 
  • Cisco ASA 透過usb備份的話,是用 copy running-config disk1: 
還原出廠預設值
ciscoasa#conf t
ciscoasa(config)#configure factory-default
ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o:  y
Cryptochecksum: cbae301c 8cea4e21 022b5873 ec551723

2709 bytes copied in 0.780 secs
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
第一次進入特權模式會提醒
***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: A

No input detected, recording Ask later.
You will be reminded again in 7 days.

If you would like to enable this feature, issue the command
"call-home reporting anonymous".
設定Cisco ASA 機器名稱
ciscoasa(config)# hostname ASA  #字數要小於64
顯示目前interface
#show interface ip brief
設定WAN IP
ciscoasa# conf t
ciscoasa(config)# interface gigabitEthernet 0/0
ciscoasa(config-if)# ip address A.B.C.D 255.255.255.0           #設定WAN IP
ciscoasa(config-if)# nameif outside                             #設定路由會用到
ciscoasa(config-if)# no shutdown
設定路由
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 Gateway
設定ASA可以用SSH登入
ciscoasa(config)# enable password Password
ciscoasa(config)# username adminstrator password 1234567890
ciscoasa(config)# ssh External_IP 255.255.255.255 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# crypto key generate rsa modulus 4096
WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
在MAC裡,需要設定用ssh 指令可以登入, ~/.ssh/config
HOST asa
    HostName FQDN or IP
    User administrator
    KexAlgorithms +diffie-hellman-group1-sha1
or
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 IP
Reference:
張貼者: 沒有留言:
標籤: ,

2017年7月7日 星期五

透過 Ansible 來執行 Cisco Router 的指令 (簡易版)

OS Environment

macOS Sierra
version 10.12.5

Ansible Version

ansible 2.3.1.0
  config file =
  configured module search path = Default w/o overrides
  python version = 2.7.13 (default, Dec 18 2016, 07:03:39) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]

cisco.yml

---
- hosts: cisco
  connection: local
  gather_facts: yes
  tasks:
    - name: run show version on remoter devices
      ios_command:
        provider:
          host: FQDN or IP
          username: 使用者
          password: ssh的連線密碼
          authorize: yes
          auth_pass: 特權模式密碼
        commands:
          - show version
      register: version
    - name: show version
      debug:
        var: version.stdout_lines
      with_items: version.results
authorize 跟 auth_pass 要一起使用,因為這是要進入 特權模式
重點還是要看官方的用法,下面只是參考而已,有些寫法未來可能會被拔掉
這是我執行某一個寫法的時候吐的訊息
 [WARNING]: argument username has been deprecated and will be removed in a future version

 [WARNING]: argument host has been deprecated and will be removed in a future version

 [WARNING]: argument password has been deprecated and will be removed in a future version
Reference:
張貼者: 2 則留言:
標籤: ,
訂閱: 文章 (Atom)