Scripting Cisco ASA via PowerShell? Why not?!

OK, this is something I’ve been using for a while and wanted to share with you, as I’ve been asked for it a couple of times now.

I’ve got a pair of Cisco ASA’s at the perimeter of our network, and I needed a way some time ago to edit it’s configuration in a scripted manner, so, I started looking at PowerShell and SSH connections, and this didn’t get me anywhere, so I started to look at PLINK.exe. PLINK is almost a spin-off from PuTTY, a free remote connection tool that supports SSH. PLINK is scriptable, in that you can pass it a text file, and it’ll run each line of that file as seperate commands. Simply enough, the powershell script below will echo out to a file any commands you need, then start PLINK and run the code. If it’s a system that you’ve not connected to before, and don’t have the key saved in your registry, you’ll be prompted to accept it.

$ASApw = "MyPassword"
$ASAIP = "MyASAIPAddress"
$ASAUser = "MySSHUserName"
$ASAEnablepw = $ASApw
#Modifies the ASA firewall
#Starts by writing a "commands" file#
echo en >>unicode.txt
echo $ASAEnablepw >>unicode.txt
echo "conf t" >>unicode.txt
echo "show run access-group"
echo exit >>unicode.txt
echo exit >>unicode.txt
#Converts the file to ASCII format (separate file)#
$lines = gc "unicode.txt"
$lines | out-file -encoding Ascii -filepath commands.txt
#Using the command file and plink.exe connects and runs the commands #
./plink.exe -ssh -l $ASAUser -pw $ASApw $ASAIP -m commands.txt
#removes the files it created earlier#
del unicode.txt
del commands.txt

In the above example, the ASA will be asked to show it’s running config’s access-group configuration. You’ll need to modify the echo lines to get this to perform other actions (I use this script to modify static mapping entries and access-lists for example). You’ll also need to modify “$ASAIP”,”$ASAUSer” and “$ASApw” with your IP address, SSH Username and SSH password. The script assumes that the enable password matches this, but if not, edit the “$ASAEnablepw”, and add your enable password there. If you don’t like storing password this way (I don’t particularly) then you can always change these to “read-host” to request the entry from the Powershell command line.

Share

Recent Posts

Microsoft

McCann & MullenLowe – Microsoft Teams Case Study

When bringing companies with different technology systems together, it can be difficult to efficiently collaborate. #Microsoft Teams can help. Learn how its single platform system provided McCann and MullenLowe with the solution they needed to enable their employees to work together. Check out this video:

Read More »