XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(5)

Available Languages

Download Options

PDF (310.2 KB)
View with Adobe Reader on a variety of devices
ePub (92.6 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (123.9 KB)
View on Kindle device or Kindle app on multiple devices

Updated:February 28, 2016

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(5)

Northbound API

Interfaces

Transparent Bridge Group Virtual Interfaces

ASA Configuration

XML Example

Routed Firewall Interfaces

ASA Configuration

XML Example

Port Channel Interfaces

ASA Configuration

XML Example

Access Lists and Associated Access Groups

ASA Configuration

XML Example

Access Lists Using Dynamically Created EPG Network Objects

Basic Threat Detection

ASA Configuration

XML Example

Scanning Threat Detection

ASA Configuration

XML Example

Advanced Threat Detection

Network Time Protocol

Application Inspections

Network Address Translation

ASA Configuration

XML Example

Intrusion Prevention System

Network Object Groups

ASA Configuration

XML Example

High Availability (Failover)

Support for Cisco TrustSec

Creating a Security Object Group

ASA Configuration

XML Example

Creating a Security Group ACL

ASA Configuration 1

XLM Example 1

XML Example 2

Configuring an ISE AAA-Server for TrustSec

ASA Configuration

XLM Example

Manually Assigning a Security Group Tag (SGT) to an IP Host Mapping

ASA Configuration

Configuring TrustSec SXP to Get a SGT From an AAA-Server

ASA Configuration

XLM Example

Configuring a SXP Listener and Speaker

ASA Configuration

XLM Example

XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(5)

Released: February 26, 2016

This document provides XML examples for the ASA features that are supported through the Application Policy Infrastructure Controller (APIC) northbound APIs. However, the document does not include a complete list of all the ASA feature options available for these services. To determine the options that the northbound APIs allow, you should use the device_specification.xml file that is provided with the ASA device package.

For information about how to use the APIC northbound APIs, see the Cisco APIC Management Information Model Reference.

Northbound API

The following is a sample XML for accessing the ASA. For a multi-context ASA, access information directly under vnsLDevVip is that of the admin context in the ASA; the one in the vnsCDev folder is that of the target user context. Again, admin context can be used as the target user context.

Only one context from a given multi-context ASA is allowed here.

<fvTenant

dn="uni/tn-tenant1"

name="tenant1">

<!---Admin context access information ---/>

<!---User context access information ---/>

</vnsCDev>

</vnsLDevVip>

</fvTenant>

</polUni>

Interfaces

Interfaces are typically set up as part of the overall infrastructure on the APIC using a service graph. The graphs are associated with contracts, concrete devices, logical devices, and logical interfaces. The graphs also require the interface IP addresses to be in an appropriate range previously defined for the associated tenant. The graph setups show the various interface types. For an ASAv, interfaces are defined on the ASA itself using the physical interfaces; for the hardware ASAs, interfaces are defined using VLANs. The XML files to define the interfaces are the same, and the device package uses the “devtype” field (PHYSICAL or VIRTUAL) to determine the correct CLIs to send to the ASA for configuration. The “funcType” field (GoTo or GoThrough) determines whether the interfaces are for a transparent or routed firewall.

Transparent Bridge Group Virtual Interfaces

This XML example creates the following bridge group and adds bridge group members. The example is for a hardware ASA; VLANs are dynamically assigned.

ASA Configuration

interface GigabitEthernet0/0

no nameif

no security-level

interface GigabitEthernet0/0.987

vlan 987

nameif externalIf

bridge-group 1

security-level 50

interface GigabitEthernet0/1

no nameif

no security-level

interface GigabitEthernet0/1.986

vlan 986

nameif internalIf

bridge-group 1

security-level 100

interface BVI1

ip address 10.10.10.2 255.255.255.0

XML Example

Define a graph and interfaces, then attach them to the tenant.

</vnsAbsTermNodeCon>

</vnsAbsFuncConn>

</vnsAbsFuncConn>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFuncCfg>

</vnsAbsNode>

</vnsAbsTermNodeProv>

</vnsAbsConnection>

</vnsAbsConnection>

</vnsAbsGraph>

</fvTenant>

</polUni>

Routed Firewall Interfaces

This XML example creates the following routed interfaces. The example is for a hardware ASA; VLANs are dynamically assigned.

ASA Configuration

interface GigabitEthernet0/0.655

vlan 655

mac-address 00aa.00bb.00cc standby 00ff.00ff.ffff

nameif externalIf

security-level 50

ip address 20.20.20.20 255.255.255.0 standby 20.20.20.21

interface GigabitEthernet0/1.968

vlan 968

nameif internalIf

security-level 100

ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11

XML Example

Define a graph, then attach it to the tenant.

polUni>

</vnsAbsTermConn>

</vnsAbsTermNodeCon>

</vnsAbsFuncConn>

</vnsAbsFuncConn>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFuncCfg>

</vnsAbsNode>

</vnsAbsTermConn>

</vnsAbsTermNodeProv>

</vnsAbsConnection>

</vnsAbsConnection>

</vnsAbsGraph>

</vzSubj>

</vzBrCP>

</fvTenant>

</polUni>

Port Channel Interfaces

This XML example creates the following port channel members and port channel interfaces (supported only on physical ASAs at this time).

ASA Configuration

interface GigabitEthernet0/0

channel-group 2 mode active

no nameif

no security-level

no ip address

interface GigabitEthernet0/1

channel-group 1 mode active

no nameif

no security-level

no ip address

interface Port-channel1.100

vlan 100

nameif externalIf

security-level 50

ip address 20.20.20.20 255.255.255.0 standby 20.20.20.21

interface Port-channel2.200

vlan 200

nameif internalIf

ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11

XML Example

Define the port channel members, graph, then attach them to the tenant.

</vnsDevFolder>

</vnsDevFolder>

</vnsLDevVip>

</vnsLIfCtx>

</vnsLIfCtx>

</vnsLDevCtx>

</fvTenant>

</polUni>

</vnsAbsTermConn>

</vnsAbsTermNodeCon>

</vnsAbsFuncConn>

</vnsAbsFuncConn>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFuncCfg>

</vnsAbsNode>

</vnsAbsTermConn>

</vnsAbsTermNodeProv>

</vnsAbsConnection>

</vnsAbsConnection>

</vnsAbsGraph>

</fvTenant>

</polUni>

</vzSubj>

</vzBrCP>

</fvTenant>

</polUni>

Access Lists and Associated Access Groups

This XML example creates an access list and assigns it to an access group associated with an existing interface.

ASA Configuration

access-list ACL2 extended deny ip any any

access-list ACL2 extended permit icmp any any

access-list ACL1 extended permit tcp any any eq ssh

access-list ACL1 extended permit tcp any any eq https

access-group ACL2 in interface externalIf

access-group ACL1 out interface internalIf

XML Example

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Access Lists Using Dynamically Created EPG Network Objects

This XML example creates an access list that dynamically updates the object group membership in the ACL, where the object group corresponds to an End Point Group (EPG).

Note You must create the necessary AccessControlEntry in APIC.

ASA Configuration

access-list EPG_ACL extended permit ip object-group __$EPG$_web object-group __$EPG$_app

access-group EPG_ACL in interface externalIf

XML Example

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

IP Audit

This XML example sets up the IP audit attack configuration.

ASA Configuration

ip audit attack action drop

XML Example (Attack)

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

XML Example (Info)

This XML example also sets up the IP audit attack configuration.

ip audit attack action reset

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Logging

This XML example sets up the logging configuration.

ASA Configuration

logging enable

logging buffer-size 8192

logging buffered critical

logging trap alerts

XML Example

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Static Route

This XML example sets up the static route configuration that is associated with an existing interface.

ASA Configuration

route internalIf 10.100.0.0 255.255.0.0 10.6.55.1 1

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Basic Threat Detection

This XML example sets up a basic threat detection rate for an ACL drop.

ASA Configuration

threat-detection rate acl-drop rate-interval 600 average-rate 0 burst-rate 0

XML Example

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Scanning Threat Detection

This XML example sets up the scanning threat detection rate.

ASA Configuration

threat-detection rate scanning-threat rate-interval 600 average-rate 100 burst-rate 40
threat-detection scanning-threat shun

XML Example

</vnsDevFolder>

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Advanced Threat Detection

This XML example sets up advanced threat detection statistics.

ASA Configuration

threat-detection statistics host

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 3

threat-detection statistics tcp-intercept rate-interval 50 burst-rate 200 average-rate 100

XML Example

</vnsDevFolder>

</vnsDevFolder>

</vnsDevFolder>

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Protocol Timeouts

This XML example sets up the protocol timeout value for the connection timer.

ASA Configuration

timeout conn 2:00:59

XML Example

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Network Time Protocol

This XML example turns on the Network Time Protocol (NTP) feature that defines the server to use.

ASA Configuration

ntp server 192.168.100.100 prefer

XML Example

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Smart Call-Home

This XML example turns on the Smart Call-Home feature with anonymous reporting.

ASA Configuration

call-home reporting anonymous

XML Example

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Domain Name System

This XML example turns on the Domain Name System (DNS) feature, links it to the utility interface, and specifies which domain name and server IP to use.

ASA Configuration

Note You must preconfigure the utility interface on the ASA using the nameif management-utility command.

dns domain-lookup management-utility

dns server-group DefaultDNS

name-server 1.1.1.1

domain-name testDomain

XML Example

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Connection Limits

This XML example shows connection limits associated with interfaces (global connection limits are not supported), matches any traffic, and sets up the maximum number of connections that are allowed. Also included are connection limits on internal and external interfaces.

ASA Configuration

class-map connlimits_internalIf

match any

policy-map internalIf

class connlimits_internalIf

set connection conn-max 654 embryonic-conn-max 456

service-policy internalIf interface internalIf

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Application Inspections

This XML example shows application inspections associated with interfaces (global application inspection is not supported), matches default inspection traffic, and enables HTTP inspection. Also included is application inspection on internal and external interfaces.

ASA Configuration

class-map inspection_internalIf

match default-inspection-traffic

policy-map internalIf

class inspection_internalIf

inspect http

service-policy internalIf interface internalIf

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Global NetFlow

This XML example sets up the NetFlow feature. The example shows how to create a simple access list to which traffic is matched, creates a NetFlow object, and enables NetFlow globally for the NetFlow objects. Also included is NetFlow on internal and external interfaces.

ASA Configuration

class-map netflow_default

match any

flow-export destination management-utility 1.2.3.4 1024

flow-export template timeout-rate 120

flow-export delay flow-create 60

flow-export active refresh-interval 30

class netflow_default

flow-export event-type all destination 1.2.3.4

XML Example

</vnsDevFolder>

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

Network Address Translation

This XML example sets up the Network Address Translation (NAT) feature on the external interface, based on the previously created network objects, ilinux1 and olinux1.

ASA Configuration

nat (externalIf,internalIf) source static ilinux1 olinux1

XML Example

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsFolder>

</vnsAbsFuncCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Intrusion Prevention System

This XML example sets up the Intrusion Prevention System (IPS) feature. The example shows how to match traffic to a previously created access list, ACL1, and enables IPS as inline and fail-open. Also included is IPS on internal and global interfaces.

ASA Configuration

class-map ips_internalIf

match access-list ACL1

policy-map internalIf

class ips_internalIf

ips inline fail-open

service-policy internalIf interface internalIf

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

SourceFire

This XML example shows a basic SourceFire configuration in fail-open and monitor-only mode.

ASA Configuration

access-list ACL1 extended permit ip any any

class-map sfr_internalIf

match access-list ACL1

policy-map internalIf

class sfr_internalIf

sfr fail-open monitor-only

XML Example

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Network Objects

This XML example sets up a network object with a host IP address and description.

ASA Configuration

object network ilinux1

host 192.168.1.48

description User1 laptop

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Network Object Groups

This XML example sets up a network object group with a group name and group objects.

ASA Configuration

object-group network Cisco-Network-Object-GroupA

description Cisco inside network

network-object host 192.168.1.51

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

High Availability (Failover)

This XML example enables failover and specifies the failover interface and IP addresses.

ASA Configuration

failover

failover lan unit primary

failover lan interface fover GigabitEthernet0/0

failover interface ip fover 192.168.17.1 255.255.255.0 standby 192.168.17.2

XML Example

<vnsRsMetaIf

tDn="uni/infra/mDev-CISCO-ASA-{dp_version}/mIfLbl-failover_lan"/>

<vnsRsCIfAtt

tDn="uni/tn-tenant1/lDevVip-Firewall/cDev-ASAP/cIf-[Gig0/0]"/>

</vnsLIf>

</vnsDevFolder>

</vnsDevFolder>

</vnsCDev>

</vnsLDevVip>

</fvTenant>

</polUni>

TCP Service Reset

This XML example sends a Reset Reply for Denied Inbound/Outbound TCP Packets.

ASA Configuration

service resetinbound | resetoutbount interface interface_name

XML Example

<vnsAbsFolder name="TCPOpt" key="TCPOptions">"

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Support for Cisco TrustSec

Creating a Security Object Group

ASA Configuration

test_SecurityObjCreate = '''\

object-group security coke_sec_obj

security-group name mktg

'''

XML Example

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

Creating a Security Group ACL

ASA Configuration 1

access-list FROM_OUTSIDE extended permit icmp object-group-security coke-sec-obj any any

XLM Example 1

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni>

ASA Configuration 2

access-list TEST-ACL extended permit tcp object-group-security paris any any eq 800

XML Example 2

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsFolder>

</vnsAbsDevCfg>

</vnsAbsNode>

</vnsAbsGraph>

</fvTenant>

</polUni

Configuring an ISE AAA-Server for TrustSec

ASA Configuration

aaa-server __$ISEServer$__ protocol radius

aaa-server __$ISEServer$__ (management) host 192.168.102.241

key *****

cts server-group __$ISEServer$__

XLM Example

test1_trustSecxml='''\

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

'''

Manually Assigning a Security Group Tag (SGT) to an IP Host Mapping

ASA Configuration

cts role-based sgt-map 30.30.30.100 sgt 100

cts role-based sgt-map 2001:3030:30::112 sgt 65519

XLM Example

test2_trustSecxml='''\

</vnsDevFolder>

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

'''

Configuring TrustSec SXP to Get a SGT From an AAA-Server

ASA Configuration

cts sxp enable

cts sxp default password *****

cts sxp reconciliation period 60

cts sxp retry period 60

XLM Example

test3_trustSecxml='''\

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

'''

Configuring a SXP Listener and Speaker

ASA Configuration

cts sxp connection peer 2001:3030:30::112 password default mode local listener

cts sxp connection peer 192.168.102.240 password default mode local listener

XLM Example

test4_trustSecxml='''\

</vnsDevFolder>

</vnsDevFolder>

</vnsLDevVip>

</fvTenant>

</polUni>

'''

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(5)

Available Languages

Download Options

Bias-Free Language

Table of Contents

XML Examples for the Cisco Application Centric Infrastructure Security Device Package, Version 1.2(5)

Northbound API

Interfaces

Transparent Bridge Group Virtual Interfaces

ASA Configuration

XML Example

Routed Firewall Interfaces

ASA Configuration

XML Example

Port Channel Interfaces

ASA Configuration

XML Example

Access Lists and Associated Access Groups

ASA Configuration

XML Example

Access Lists Using Dynamically Created EPG Network Objects

ASA Configuration

XML Example

IP Audit

ASA Configuration

XML Example (Attack)

XML Example (Info)

Logging

ASA Configuration

XML Example

Static Route

ASA Configuration

XML Example

Basic Threat Detection

ASA Configuration

XML Example

Scanning Threat Detection

ASA Configuration

XML Example

Advanced Threat Detection

ASA Configuration

XML Example

Protocol Timeouts

ASA Configuration

XML Example

Network Time Protocol

ASA Configuration

XML Example

Smart Call-Home

ASA Configuration

XML Example

Domain Name System

ASA Configuration

XML Example

Connection Limits

ASA Configuration

XML Example

Application Inspections

ASA Configuration

XML Example

Global NetFlow

ASA Configuration

XML Example

Network Address Translation

ASA Configuration

XML Example

Intrusion Prevention System

ASA Configuration

XML Example

SourceFire

ASA Configuration

XML Example

Network Objects

ASA Configuration

XML Example

Network Object Groups

ASA Configuration

XML Example

High Availability (Failover)

ASA Configuration