Apic xml126
Apic xml126
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Northbound API
Northbound API
The following is a sample XML for accessing the ASA. For a multi-context ASA, access information
directly under vnsLDevVip is that of the admin context in the ASA; the one in the vnsCDev folder is that
of the target user context. Again, admin context can be used as the target user context.
Only one context from a given multi-context ASA is allowed here.
<polUni>
<fvTenant
dn="uni/tn-tenant1"
name="tenant1">
<vnsLDevVip name="Firewall" devtype="PHYSICAL">
<vnsRsMDevAtt tDn="uni/infra/mDev-CISCO-ASA-1.2"/>
<!---Admin context access information ---/>
<vnsCMgmt name="devMgmt" host="172.23.204.205" port="443"/>
<vnsCCred name="username" value="admin"/>
<vnsCCredSecret name="password" value="somepassword"/>
<vnsCDev name="ASA">
<!---User context access information ---/>
<vnsCMgmt name="devMgmt" host="172.23.204.123" port="443" />
<vnsCCred name="username" value="admin" />
<vnsCCredSecret name="password" value="otherpassword" />
</vnsCDev>
</vnsLDevVip>
</fvTenant>
</polUni>
Interfaces
Interfaces are typically set up as part of the overall infrastructure on the APIC using a service graph. The
graphs are associated with contracts, concrete devices, logical devices, and logical interfaces. The graphs
also require the interface IP addresses to be in an appropriate range previously defined for the associated
tenant. The graph setups show the various interface types. For an ASAv, interfaces are defined on the
ASA itself using the physical interfaces; for the hardware ASAs, interfaces are defined using VLANs.
The XML files to define the interfaces are the same, and the device package uses the “devtype” field
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
2
Interfaces
(PHYSICAL or VIRTUAL) to determine the correct CLIs to send to the ASA for configuration. The
“funcType” field (GoTo or GoThrough) determines whether the interfaces are for a transparent or routed
firewall.
ASA Configuration
interface GigabitEthernet0/0
no nameif
no security-level
interface GigabitEthernet0/0.987
vlan 987
nameif externalIf
bridge-group 1
security-level 50
interface GigabitEthernet0/1
no nameif
no security-level
interface GigabitEthernet0/1.986
vlan 986
nameif internalIf
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.2 255.255.255.0
XML Example
Define a graph and interfaces, then attach them to the tenant.
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsTermNodeCon name = "Input1">
<vnsAbsTermConn name = "C1"/>
</vnsAbsTermNodeCon>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
3
Interfaces
</vnsAbsFuncConn>
<vnsAbsDevCfg>
<vnsAbsFolder key="BridgeGroupIntf" name="1">
<vnsAbsFolder key="IPv4Address" name="internalIfIP">
<vnsAbsParam key="ipv4_address" name="ipv4" value="10.10.10.2/255.255.255.0"/>
<vnsAbsParam key="ipv4_standby_address" name="ipv4s" value="10.10.10.3"/>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFuncCfg>
<vnsAbsFolder key="ExIntfConfigRelFolder" name="ExtConfigA">
<vnsAbsCfgRel key="ExIntfConfigRel" name="ExtConfigrel" targetName="externalIf"/>
<vnsRsScopeToTerm tDn="uni/tn-tenant1/AbsGraph-WebGraph/AbsTermNodeProv-Output1/outtmnl"/>
<vnsRsCfgToConn tDn="uni/tn-tenant1/AbsGraph-WebGraph/AbsNode-FW1/AbsFConn-external" />
</vnsAbsFolder>
<vnsRsNodeToMFunc tDn="uni/infra/mDev-CISCO-ASA-{dp_version}/mFunc-Firewall"/>
</vnsAbsNode>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
4
Interfaces
ASA Configuration
interface GigabitEthernet0/0.655
vlan 655
mac-address 00aa.00bb.00cc standby 00ff.00ff.ffff
nameif externalIf
security-level 50
ip address 20.20.20.20 255.255.255.0 standby 20.20.20.21
interface GigabitEthernet0/1.968
vlan 968
nameif internalIf
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
XML Example
Define a graph, then attach it to the tenant.
polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="InterfaceConfig" name="internalIfCfg">
<vnsAbsFolder key="IPv4Address" name="internalIfIP">
<vnsAbsParam key="ipv4_address" name="ipv4_internal" value="10.10.10.10/255.255.255.0"/>
<vnsAbsParam key="ipv4_standby_address" name="ipv4_internals" value="10.10.10.11"/>
</vnsAbsFolder>
<vnsAbsParam key="security_level" name="internal_security_level" value="100"/>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFolder key="Interface" name="externalIf">
<vnsAbsFolder key="InterfaceConfig" name="externalIfCfg">
<vnsAbsFolder key="IPv4Address" name="externalIfIP">
<vnsAbsParam key="ipv4_address" name="ipv4_external" value="20.20.20.20/255.255.255.0"/>
<vnsAbsParam key="ipv4_standby_address" name="ipv4_externals" value="20.20.20.21"/>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
5
Interfaces
</vnsAbsFolder>
<vnsAbsParam key="security_level" name="external_security_level" value="50"/>
<vnsAbsFolder key="mac_address" name="mac">
<vnsAbsParam key="active_mac" name="activemac" value="aa.bb.cc"/>
<vnsAbsParam key="standby_mac" name="stbymac" value="ff.ff.ffff"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
<vnsAbsFuncCfg>
<vnsAbsFolder key="ExIntfConfigRelFolder" name="ExtConfig">
<vnsAbsCfgRel key="ExIntfConfigRel" name="ExtConfigrel" targetName="externalIf"/>
<vnsRsScopeToTerm tDn="uni/tn-tenant1/AbsGraph-WebGraph/AbsTermNodeProv-Output1/outtmnl"/>
<vnsRsCfgToConn tDn="uni/tn-tenant1/AbsGraph-WebGraph/AbsNode-FW1/AbsFConn-external" />
</vnsAbsFolder>
</vnsAbsFuncCfg>
<vnsRsNodeToMFunc tDn="uni/infra/mDev-CISCO-ASA-{dp_version}/mFunc-Firewall"/>
</vnsAbsNode>
</vnsAbsGraph>
<vzBrCP name="webCtrct">
<vzSubj name="http">
<vzRsSubjGraphAtt tnVnsAbsGraphName="WebGraph"/>
</vzSubj>
</vzBrCP>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
6
Interfaces
ASA Configuration
interface GigabitEthernet0/0
channel-group 2 mode active
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
interface Port-channel1.100
vlan 100
nameif externalIf
security-level 50
ip address 20.20.20.20 255.255.255.0 standby 20.20.20.21
interface Port-channel2.200
vlan 200
nameif internalIf
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
XML Example
Define the port channel members, graph, then attach them to the tenant.
<polUni>
<fvTenant dn="uni/tn-tenant1" name="tenant1">
<vnsLDevVip name="Firewall" funcType="GoTo" devtype="PHYSICAL">
<vnsRsMDevAtt tDn="uni/infra/mDev-CISCO-ASA-{dp_version}"/>
<vnsRsALDevToPhysDomP tDn="uni/phys-phys"/>
<vnsCMgmt name="devMgmt" host="10.122.202.33" port="443" />
<vnsCCred name="username" value="management-user"/>
<vnsCCredSecret name="password" value="cisco"/>
<vnsDevFolder key="PortChannelMember" name="PC1a">
<vnsDevParam key="port_channel_id" name="PC1a" value="1"/>
<vnsDevParam key="interface" name="PC1a" value="Gig0/1"/>
</vnsDevFolder>
<vnsDevFolder key="PortChannelMember" name="PC2a">
<vnsDevParam key="port_channel_id" name="PC2a" value="2"/>
<vnsDevParam key="interface" name="PC2a" value="Gig0/0"/>
</vnsDevFolder>
</vnsLDevVip>
<vnsLDevCtx ctrctNameOrLbl="webCtrct" graphNameOrLbl="WebGraph" nodeNameOrLbl="FW1">
<vnsRsLDevCtxToLDev tDn="uni/tn-tenant1/lDevVip-Firewall"/>
<vnsLIfCtx connNameOrLbl="internal">
<vnsRsLIfCtxToBD tDn= "uni/tn-tenant1/BD-tenant1BD1"/>
<vnsRsLIfCtxToLIf tDn="uni/tn-tenant1/lDevVip-Firewall/lIf-internalPC"/>
</vnsLIfCtx>
<vnsLIfCtx connNameOrLbl="external">
<vnsRsLIfCtxToLIf tDn="uni/tn-tenant1/lDevVip-Firewall/lIf-externalPC"/>
<vnsRsLIfCtxToBD tDn= "uni/tn-tenant1/BD-tenant1BD2"/>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
7
Interfaces
</vnsLIfCtx>
</vnsLDevCtx>
</fvTenant>
</polUni>
<polUni>
<fvTenant name="tenant1">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="InterfaceConfig" name="internalIfCfg">
<vnsAbsFolder key="IPv4Address" name="internalIfIP">
<vnsAbsParam key="ipv4_address" name="ipv4_internal" value="10.10.10.10/255.255.255.0"/>
<vnsAbsParam key="ipv4_standby_address" name="ipv4_internals" value="10.10.10.11"/>
</vnsAbsFolder>
<vnsAbsParam key="security_level" name="internal_security_level" value="100"/>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFolder key="Interface" name="externalIf">
<vnsAbsFolder key="InterfaceConfig" name="externalIfCfg">
<vnsAbsFolder key="IPv4Address" name="externalIfIP">
<vnsAbsParam key="ipv4_address" name="ipv4_external" value="20.20.20.20/255.255.255.0"/>
<vnsAbsParam key="ipv4_standby_address" name="ipv4_externals" value="20.20.20.21"/>
</vnsAbsFolder>
<vnsAbsParam key="security_level" name="external_security_level" value="50"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
<vnsAbsFuncCfg>
<vnsAbsFolder key="ExIntfConfigRelFolder" name="ExtConfig">
<vnsAbsCfgRel key="ExIntfConfigRel" name="ExtConfigrel" targetName="externalIf"/>
<vnsRsScopeToTerm tDn="uni/tn-tenant1/AbsGraph-WebGraph/AbsTermNodeProv-Output1/outtmnl"/>
<vnsRsCfgToConn tDn="uni/tn-tenant1/AbsGraph-WebGraph/AbsNode-FW1/AbsFConn-external" />
</vnsAbsFolder>
</vnsAbsFuncCfg>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
8
Access Lists and Associated Access Groups
<vnsRsNodeToMFunc tDn="uni/infra/mDev-CISCO-ASA-{dp_version}/mFunc-Firewall"/>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
<polUni>
<fvTenant name="tenant1">
<vzBrCP name="webCtrct">
<vzSubj name="http">
<vzRsSubjGraphAtt tnVnsAbsGraphName="WebGraph"/>
</vzSubj>
</vzBrCP>
</fvTenant>
</polUni>
ASA Configuration
access-list ACL2 extended deny ip any any
access-list ACL2 extended permit icmp any any
access-list ACL1 extended permit tcp any any eq ssh
access-list ACL1 extended permit tcp any any eq https
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="AccessList" name="ACL1">
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
9
Access Lists and Associated Access Groups
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
10
Access Lists Using Dynamically Created EPG Network Objects
ASA Configuration
access-list EPG_ACL extended permit ip object-group __$EPG$_web object-group __$EPG$_app
access-group EPG_ACL in interface externalIf
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="AccessList" name="EPG_ACL">
<vnsAbsFolder key="AccessControlEntry" name="EPG_ACE">
<vnsAbsParam key="action" name="action1" value="permit"/>
<vnsAbsParam key="order" name="order1" value="1"/>
<vnsAbsFolder key="source_address" name="saddr1">
<vnsAbsParam key="epg_name" name="webEPG"
value="tenantname-profilename-web"/>
</vnsAbsFolder>
<vnsAbsFolder key="destination_address" name="daddr1">
<vnsAbsParam key="epg_name" name="appEPG"
value="tenantname-profilename-app"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFolder key="Interface" name="externalIf">
<vnsAbsFolder name="access-group-EPG" key="AccessGroup">
<vnsAbsCfgRel name="name" key="inbound_access_list_name"
targetName="EPG_ACL"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
11
IP Audit
IP Audit
This XML example sets up the IP audit attack configuration.
ASA Configuration
ip audit attack action drop
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="IPAudit" name="A">
<vnsDevParam key="IPAuditInfo" name="IPinfo" value="reset"/>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
Logging
This XML example sets up the logging configuration.
ASA Configuration
logging enable
logging buffer-size 8192
logging buffered critical
logging trap alerts
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
12
Static Route
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="LoggingConfig" name="Log">
<vnsDevParam key="enable_logging" name="enlog" value="enable"/>
<vnsDevParam key="buffered_level" name="bufflev" value="critical"/>
<vnsDevParam key="buffer_size" name="buffsize" value="8192"/>
<vnsDevParam key="trap_level" name="trap" value="1"/>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
Static Route
This XML example sets up the static route configuration that is associated with an existing interface.
ASA Configuration
route internalIf 10.100.0.0 255.255.0.0 10.6.55.1 1
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="StaticRoute" name="InsideRTE1">
<vnsAbsFolder key="route" name="RouteIN1">
<vnsAbsParam key="network" name="network1" value="10.100.0.0"/>
<vnsAbsParam key="netmask" name="netmask1" value="255.255.0.0"/>
<vnsAbsParam key="gateway" name="gateway1" value="10.6.55.1"/>
<vnsAbsParam key="metric" name="metric1" value="1"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
13
Basic Threat Detection
ASA Configuration
threat-detection rate acl-drop rate-interval 600 average-rate 0 burst-rate 0
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="BasicThreatDetection" name="BasicTD">
<vnsDevParam key="basic_threat" name="Basic1" value="enable"/>
<vnsDevFolder key="BasicThreatDetectionRateAclDrop" name="BasicTDACL">
<vnsDevParam key="rate_interval" name="ri1" value="600"/>
<vnsDevParam key="average_rate" name="ar1" value="0"/>
<vnsDevParam key="burst_rate" name="br1" value="0"/>
</vnsDevFolder>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
ASA Configuration
threat-detection rate scanning-threat rate-interval 600 average-rate 100 burst-rate 40
threat-detection scanning-threat shun
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="ScanningThreatDetection" name="ScanTD1">
<vnsDevParam key="scanning_threat" name="Scan1" value="enable"/>
<vnsDevParam key="shun_status" name="Shun1" value="enable"/>
<vnsDevFolder key="ScanningThreatRate" name="ScanTDrate">
<vnsDevParam key="average_rate" name="ar1" value="100"/>
<vnsDevParam key="rate_interval" name="ri1" value="600"/>
<vnsDevParam key="burst_rate" name="br1" value="40"/>
</vnsDevFolder>
<vnsDevFolder key="ScanningThreatRate" name="ScanTDrate2">
<vnsDevParam key="average_rate" name="ar2" value="10"/>
<vnsDevParam key="rate_interval" name="ri2" value="660"/>
<vnsDevParam key="burst_rate" name="br2" value="20"/>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
14
Advanced Threat Detection
</vnsDevFolder>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
ASA Configuration
threat-detection statistics host
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 50 burst-rate 200 average-rate 100
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="AdvancedThreatDetection" name="AdvScan" >
<vnsDevParam key="access_list" name="status5" value="enable"/>
<vnsDevFolder key="AdvancedThreatDetectionTcpIntercept" name="AdvScanTCPInt" >
<vnsDevParam key="status" name="AdvRateStatus" value="enable"/>
<vnsDevParam key="average_rate" name="AdvRate" value="100"/>
<vnsDevParam key="rate_interval" name="AdvRI" value="50"/>
<vnsDevParam key="burst_rate" name="AdvBR" value="200"/>
</vnsDevFolder>
<vnsDevFolder key="AdvancedThreatDetectionHost" name="AdvScanHost" >
<vnsDevParam key="status" name="HostStatus" value="enable"/>
<vnsDevParam key="number_of_rate" name="HostRate" value="1"/>
</vnsDevFolder>
<vnsDevFolder key="AdvancedThreatDetectionPort" name="AdvScanPort" >
<vnsDevParam key="status" name="PortStatus" value="enable"/>
<vnsDevParam key="number_of_rate" name="PortRate" value="2"/>
</vnsDevFolder>
<vnsDevFolder key="AdvancedThreatDetectionProtocol" name="AdvScanProtocol" >
<vnsDevParam key="status" name="ProtocolStatus" value="enable"/>
<vnsDevParam key="number_of_rate" name="ProtocolRate" value="3"/>
</vnsDevFolder>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
15
Protocol Timeouts
Protocol Timeouts
This XML example sets up the protocol timeout value for the connection timer.
ASA Configuration
timeout conn 2:00:59
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="Timeouts" name="TO">
<vnsDevParam key="Connection" name="conn1" value="2:0:59"/>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
ASA Configuration
ntp server 192.168.100.100 prefer
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="NTP" name="NTP">
<vnsDevFolder key="NTPServer" name="NTPServer">
<vnsDevParam key="server" name="server" value="192.168.100.100"/>
<vnsDevParam key="prefer" name="prefer" value="enable"/>
</vnsDevFolder>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
16
Smart Call-Home
Smart Call-Home
This XML example turns on the Smart Call-Home feature with anonymous reporting.
ASA Configuration
call-home reporting anonymous
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="SmartCallHome" name="SmartCallHome">
<vnsDevParam key="anonymous_reporting" name="anonymous_reporting" value="enable"/>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
ASA Configuration
Note You must preconfigure the utility interface on the ASA using the nameif management-utility
command.
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="DNS" name="DNS">
<vnsDevParam key="domain_name" name="domain_name" value="testDomain"/>
<vnsDevParam key="name_server" name="name_server" value="1.1.1.1"/>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
17
Connection Limits
Connection Limits
This XML example shows connection limits associated with interfaces (global connection limits are not
supported), matches any traffic, and sets up the maximum number of connections that are allowed. Also
included are connection limits on internal and external interfaces.
ASA Configuration
class-map connlimits_internalIf
match any
policy-map internalIf
class connlimits_internalIf
set connection conn-max 654 embryonic-conn-max 456
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="ServicePolicy" name="ConLim-Policy">
<vnsAbsParam key="ServicePolicyState" name="PolicyState" value="enable"/>
<vnsAbsFolder key="ConnectionLimits" name="ConnLim">
<vnsAbsFolder key="ConnectionSettings" name="ConnectionSettingsA">
<vnsAbsParam key="conn_max" name="conn_max" value="654"/>
<vnsAbsParam key="conn_max_embryonic" name="conn_max_embryonic"
value="456"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
Application Inspections
This XML example shows application inspections associated with interfaces (global application
inspection is not supported), matches default inspection traffic, and enables HTTP inspection. Also
included is application inspection on internal and external interfaces.
ASA Configuration
class-map inspection_internalIf
match default-inspection-traffic
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
18
Global NetFlow
policy-map internalIf
class inspection_internalIf
inspect http
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="ServicePolicy" name="Inspection-Policy">
<vnsAbsParam key="ServicePolicyState" name="PolicyState" value="enable"/>
<vnsAbsFolder key="ApplicationInspection" name="ApplicationInspection">
<vnsAbsFolder key="InspectionSettings" name="InspectionSettingsA">
<vnsAbsParam key="http" name="http" value="enable"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
Global NetFlow
This XML example sets up the NetFlow feature. The example shows how to create a simple access list
to which traffic is matched, creates a NetFlow object, and enables NetFlow globally for the NetFlow
objects. Also included is NetFlow on internal and external interfaces.
ASA Configuration
class-map netflow_default
match any
class netflow_default
flow-export event-type all destination 1.2.3.4
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
19
Network Address Translation
ASA Configuration
nat (externalIf,internalIf) source static ilinux1 olinux1
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="NATList" name="ListA">
<vnsAbsFolder key="NATRule" name="RuleA">
<vnsAbsParam key="order" name="order" value="3"/>
<vnsAbsFolder key="source_translation" name="source_trans">
<vnsAbsFolder key="mapped_object" name="mapped_object">
<vnsAbsCfgRel key="object_name" name="map_name" targetName="olinux1"/>
</vnsAbsFolder>
<vnsAbsFolder key="real_object" name="real_object">
<vnsAbsCfgRel key="object_name" name="real_name" targetName="ilinux1"/>
</vnsAbsFolder>
<vnsAbsParam key="nat_type" name="nat_type" value="static"/>
</vnsAbsFolder>
</vnsAbsFolder>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
20
Intrusion Prevention System
</vnsAbsFolder>
</vnsAbsDevCfg>
<vnsAbsFuncCfg>
<vnsAbsFolder key="NATPolicy" name="PolicyA">
<vnsAbsCfgRel key="nat_list_name" name="nat_listA" targetName="ListA"/>
</vnsAbsFolder>
</vnsAbsFuncCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
ASA Configuration
class-map ips_internalIf
match access-list ACL1
policy-map internalIf
class ips_internalIf
ips inline fail-open
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="ServicePolicy" name="IPS-Policy">
<vnsAbsParam key="ServicePolicyState" name="PolicyState" value="enable"/>
<vnsAbsFolder key="IPS" name="IPS">
<vnsAbsCfgRel key="TrafficSelection" name="TrafficSelect" targetName="ACL1"/>
<vnsAbsFolder key="IPSSettings" name="IPSSettingsA">
<vnsAbsParam key="operate_mode" name="operate_mode" value="inline"/>
<vnsAbsParam key="fail_mode" name="fail_mode" value="fail-open"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
21
SourceFire
SourceFire
This XML example shows a basic SourceFire configuration in fail-open and monitor-only mode.
ASA Configuration
access-list ACL1 extended permit ip any any
class-map sfr_internalIf
match access-list ACL1
policy-map internalIf
class sfr_internalIf
sfr fail-open monitor-only
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="AccessList" name="ACL1">
<vnsAbsFolder key="AccessControlEntry" name="ACE1">
<vnsAbsParam key="action" name="action1" value="permit"/>
<vnsAbsParam key="order" name="order1" value="1"/>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFolder key="Interface" name="internalIf">
<vnsAbsFolder key="ServicePolicy" name="SFR-Policy">
<vnsAbsParam key="ServicePolicyState" name="PolicyState"
value="enable"/>
<vnsAbsFolder key="SFR" name="SFR">
<vnsAbsCfgRel key="TrafficSelection" name="TrafficSelect"
targetName="ACL1"/>
<vnsAbsFolder key="SFRSettings" name="SFRSettings">
<vnsAbsParam key="monitor_only" name="operate_mode"
value="enable"/>
<vnsAbsParam key="fail_mode" name="fail_mode"
value="fail-open"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
22
Network Objects
Network Objects
This XML example sets up a network object with a host IP address and description.
ASA Configuration
object network ilinux1
host 192.168.1.48
description User1 laptop
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="NetworkObject" name="ilinux1">
<vnsAbsParam key="host_ip_address" name="host_ip_address" value="192.168.1.48"/>
<vnsAbsParam key="description" name="description" value="User1 laptop"/>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
ASA Configuration
object-group network Cisco-Network-Object-GroupA
description Cisco inside network
network-object host 192.168.1.51
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="NetworkObjectGroup" name="Cisco-Network-Object-GroupA">
<vnsAbsParam key="description" name="description" value="Cisco inside network"/>
<vnsAbsParam key="host_ip_address" name="host_ip_address" value="192.168.1.51"/>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
23
High Availability (Failover)
</fvTenant>
</polUni>
ASA Configuration
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/0
failover interface ip fover 192.168.17.1 255.255.255.0 standby 192.168.17.2
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsLIf name="failover_lan">
<vnsRsMetaIf
tDn="uni/infra/mDev-CISCO-ASA-{dp_version}/mIfLbl-failover_lan"/>
<vnsRsCIfAtt
tDn="uni/tn-tenant1/lDevVip-Firewall/cDev-ASAP/cIf-[Gig0/0]"/>
</vnsLIf>
<vnsCDev name="ASAP">
<vnsDevFolder key="FailoverConfig" name="failover_config">
<vnsDevParam key="failover" name="failover" value="enable"/>
<vnsDevParam key="lan_unit" name="lan_unit" value="primary"/>
<vnsDevFolder key="failover_lan_interface" name="failover_lan">
<vnsDevParam key="interface_name" name="interface_name" value="fover"/>
</vnsDevFolder>
<vnsDevFolder key="failover_ip" name="failover_ip">
<vnsDevParam key="interface_name" name="interface_name" value="fover"/>
<vnsDevParam key="active_ip" name="primary_ip" value="192.168.17.1"/>
<vnsDevParam key="netmask" name="netmask" value="255.255.255.0"/>
<vnsDevParam key="standby_ip" name="secondary_ip" value="192.168.17.2"/>
</vnsDevFolder>
</vnsDevFolder>
</vnsCDev>
</vnsLDevVip>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
24
TCP Service Reset
ASA Configuration
service resetinbound | resetoutbount interface interface_name
XML Example
<fvTenant name="tenant1">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="Interface" name="externalIf">
<vnsAbsFolder name="TCPOpt" key="TCPOptions">"
<vnsAbsParam key="inbound_reset" name="reset" value="disable"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
25
Support for Cisco TrustSec
---------
<polUni>
<fvTenant name="tenant1\">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="AccessList" name="TEST-ACL">
<vnsAbsFolder key="AccessControlEntry" name="ACE1">
<vnsAbsParam key="action" name="action1" value="permit"/>
<vnsAbsParam key="order" name="order10" value="10"/>
<vnsAbsFolder key="protocol" name="protocol">
<vnsAbsParam key="name_number" name="name_number" value="tcp"/>
</vnsAbsFolder>
<vnsAbsFolder key="source_security_group" name="source_security_group">
<vnsAbsCfgRel key="security_object_group" name="security_object_group"
targetName="paris"/>
</vnsAbsFolder>
<vnsAbsFolder key="destination_service" name="destination_service">
<vnsAbsParam key="high_port" name="high_port" value="2000"/>
<vnsAbsParam key="low_port" name="low_port" value="800"/>
<vnsAbsParam key="operator" name="operator" value="eq"/>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsFolder>
</vnsAbsDevCfg>
</vnsAbsNode>
</vnsAbsGraph>
</fvTenant>
</polUni
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
26
Support for Cisco TrustSec
</vnsLDevVip>
</fvTenant>
</polUni>
'''
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
27
New remark Keyword for the access-list Command
ASA Configuration
access-list ACL2 remark Remarkable1
access-list ACL2 extended permit tcp any any
access-list ACL2 remark Remarkable2
access-list ACL2 extended permit udp any any
access-list ACL2 remark Remarkable3
access-list ACL2 extended permit icmp any any
XML Example
<polUni>
<fvTenant name="tenant1\">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="AccessList" name="ACL2">
<vnsAbsFolder key="AccessControlEntry" name="ACE2">
<vnsAbsParam key="action" name="action1" value="permit"/>
<vnsAbsParam key="order" name="order1" value="1"/>
<vnsAbsParam key="remark" name="remark1" value="Remarkable1"/>
<vnsAbsFolder key="protocol" name="protocol1">
<vnsAbsParam key="name_number" name="pNN1" value="tcp"/>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFolder key="AccessControlEntry" name="ACE3">
<vnsAbsParam key="action" name="action1" value="permit"/>
<vnsAbsParam key="order" name="order3" value="3"/>
<vnsAbsParam key="remark" name="remark2" value="Remarkable2"/>
<vnsAbsFolder key="protocol" name="protocol3">
<vnsAbsParam key="name_number" name="pNN3" value="udp"/>
</vnsAbsFolder>
</vnsAbsFolder>
<vnsAbsFolder key="AccessControlEntry" name="ACE4">
<vnsAbsParam key="action" name="action1" value="permit"/>
<vnsAbsParam key="order" name="order4" value="4"/>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
28
Global Application-Inspections
Global Application-Inspections
ASA Configuration
policy-map global_policy
class inspection_default
inspect rsh
inspect dns preset_dns_map
inspect rtsp
inspect h323 h225
inspect skinny
inspect sip
inspect ip-options
inspect xdmcp
inspect sunrpc
inspect sqlnet
inspect tftp
inspect h323 ras
inspect esmtp
inspect netbios
inspect ftp
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="GlobalServicePolicy" name="GlobalServicePolicy">
<vnsDevParam key="ServicePolicyState" name="ServicePolicyState" value="enable"/>
<vnsDevFolder key="ApplicationInspection" name="ApplicationInspection">
<vnsDevFolder key="InspectionSettings" name="InspectionSettings">
<vnsDevParam key="tftp" name="tftp" value="enable"/>
<vnsDevParam key="rtsp" name="rtsp" value="enable"/>
<vnsDevParam key="h323_h225" name="h323_h225" value="enable"/>
<vnsDevParam key="skinny" name="skinny" value="enable"/>
<vnsDevParam key="sip" name="sip" value="enable"/>
<vnsDevParam key="esmtp" name="esmtp" value="enable"/>
<vnsDevParam key="ftp" name="ftp" value="enable"/>
<vnsDevParam key="h323_ras" name="h323_ras" value="enable"/>
<vnsDevParam key="sunrpc" name="sunrpc" value="enable"/>
<vnsDevParam key="ip_options" name="ip_options" value="enable"/>
<vnsDevParam key="xdmcp" name="xdmcp" value="enable"/>
<vnsDevParam key="sqlnet" name="sqlnet" value="enable"/>
<vnsDevParam key="dns_preset" name="dns_preset" value="enable"/>
<vnsDevParam key="netbios" name="netbios" value="enable"/>
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
29
New same-security-traffic Command
ASA Configuration
Same-security-traffic permit inter-interface
Same-security-traffic permit intra-interface
XML Example
<polUni>
<fvTenant name="tenant1">
<vnsLDevVip name="Firewall">
<vnsDevFolder key="SameSecurityTraffic" name="SameSecurityTraffic">
<vnsDevParam key="inter_interface" name="inter_interface" value="permit"/>
<vnsDevParam key="intra_interface" name="intra_interface" value="permit"/>
</vnsDevFolder>
</vnsLDevVip>
</fvTenant>
</polUni>
ASA Configuration
time-range T1-time-range
absolute start 08:09 07 August 2016 end 12:20 23 September 2018
periodic Tuesday Thursday 8:09 to 20:00
periodic Wednesday 5:07 to Tuesday 17:00
XML Example
<polUni>
<fvTenant name="tenant1\">
<vnsAbsGraph name = "WebGraph">
<vnsAbsNode name = "FW1">
<vnsAbsDevCfg>
<vnsAbsFolder key="TimeRange" name="T1-time-range">
<vnsAbsFolder key="AbsoluteTimeDate" name="AbsoluteTimeDate">
<vnsAbsFolder key="End" name="End">
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
30
New time-range Command
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
31
New time-range Command
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(6)
32