Lynx for Cisco ASA Management

Posted on December 10, 2013

3



madness

Yes this is madness! A really old school browser can help me in managing cisco asa firewalls!
I have just found this link, since I am developing perl scripts to manage cisco asa firewalls.
http://packetpushers.net/interacting-with-the-cisco-asa-cli-using-the-https-interface/

Lynx saves about 50 lines of perl code for me and works much more faster as my perl script with Net::SSH::Expect module.

Advantages of using lynx again perl:
– to issue a command you need only a one-line command! in Perl the code is much more line.
– no need to install perl and the modules for ssh
– no need to send enable command and the enable password (that can be issued in perl only with expect, that is not the best way.)

Some setting are required for lynx to work perfectly in your enviroment.

1.) SSL Prompt settings:
lynx do not accept by default self signed certificates and expect your interaction. in the config of lynx just change

from:
#FORCE_SSL_PROMPT:PROMPT
to:
FORCE_SSL_PROMPT:yes

if you trust in your enviroment and noone can fake the asa to get your credentials when you login through https. My configuration file is /etc/lynx.cfg.

2.) path to ca certificates
I am not sure if that step is required so just do it if your lynx cannot just dump the output of your command.
Check if it is correct file on your system:

SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt

If not change the config in lynx.

3.) Update your trusted certificates

I put the firewall self signed certificate in that file. Again I am not sure if this is requred. I suggest to change this if your lynx cannot just dump the output of your command. in this example the asa firewall has the ip 192.168.1.1.

$ openssl s_client -showcerts -connect 192.168.1.1:443
$ sudo echo "...firewall cert..." >> /etc/ssl/certs/ca-certificates.crt

My examples:

Just create the following bash script (the syntax of lynx has changed since the packetpushers post!):

$ vi lynx_asa_command.sh
#!/bin/bash
#  $1 is the IP expected from command line as an argument
#  $2 is the command expected from command line as an argument
#

lynx -auth=cisco_username:password -dump "https://$1:443/exec/$2"

this script contains your credentials, you should save it on a secure place! Save it on your desktop :-)

let your script to be executed

$ chmod +x lynx_asa_command.sh

and issue the commands you need, like:

$ ./lynx_asa_command.sh 192.168.1.1 "sh int ip brief"
$ ./lynx_asa_command.sh 192.168.1.1 "sh access-list"
$ ./lynx_asa_command.sh 192.168.1.1 "sh int | grep drop"

Or issue this command multiple if needed:

$ while true ; do lynx -auth=cisco_username:password -dump "https://192.168.1.1:443/exec/sh asp drop" ; sleep 1 ; done

If you have your output you can start to analyse it deeper or just forward it to your monitoring tool…

Sources:
http://packetpushers.net/interacting-with-the-cisco-asa-cli-using-the-https-interface/
http://lynx.isc.org/current/README.sslcerts

Advertisements