So I needed to automate some configuration tasks on a Cisco ASA firewall, and thought it will be an easy task since it has an SSH interface. But after a couple of failed tries and some searching on the web, I realized that I could not use the standard SSH command mode to access the ASA and that the only working and reliable solution out there (that I found) was on this post: “How to automate scripted commands to a Cisco ASA via ssh“. However, it relies on the “Expect” Linux command, and in my case, I preferred to execute the script directly from the System Center Orchestrator machine, which is windows based. Some blogs mentioned the windows Plink.exe command as an option too, this solution worked but it did not allow to do validations and extra logic during the script execution, as the script is sent to the device in one block. I also found this PowerShell module “SSH from PowerShell using the SSH.NET library” that sounded promising at first, but works with the standard SSH command and when trying to use it, I was not able to connect to my ASA firewall.
Finally, I decided to develop my own PowerShell module base on the SSH.Net library, but unlike the above module, I will be using only the SSH shell stream to interact with the device. The tricky part of working with shell stream is that there is no notification when a command execution is completed. One way to overcome this is by checking for available data on the output stream. Most of the commands’ script are easy to handle because it is valid to assume that the command execution is completed as soon as there is something in the output stream. The problem is that this assumption is not true for long-running commands that report their progress during the execution. To support this kind of commands I needed to add support for specifying a timeout before assuming the command was completed and also allow to specify a regular expression to ignore progress messages when waiting for the command output. The module also handle cleaning extra BS(u0008) characters from the output stream. That noise characters usually appeared when executing a long command.
Proof of concept – script to create a new network object:
[code language=”powershell”]
Import-Module SshShell
$elevatedPrompt = "#.$"
$configPrompt = "(config)#.$"
$objectPrompt = "object)#.$"
$s = New-SshSession -SshHost $asaIP -User $user -Password $password
Send-SshCommand $s "enable" -Expect "Password:"
Send-SshCommand $s "$elevatedPassword" -Expect $elevatedPrompt
Send-SshCommand $s "show run object id $objectId" -Expect $elevatedPrompt
if ($s.LastResult -match "does not exist") {
Send-SshCommand $s "conf t" -Expect $configPrompt
Send-SshCommand $s "object network $objectId" -Expect $objectPrompt
Send-SshCommand $s "description $description" -Expect $objectPrompt
Send-SshCommand $s "host $hostIP" -Expect $objectPrompt
Send-SshCommand $s "end" -Expect $elevatedPrompt
Send-SshCommand $s "write mem" -Expect "[OK]" -WaitUnlimitedOn "configuration…|Cryptochecksum|copied"
}
Close-SshSession $s
[/code]
Notes:
- These PowerShell variables are prepopulated with values and have self-explanatory names: $asaIP, $user, $password, $elevatedPassword, $objectId, $description, $hostIP.
- The value of the “Expect” parameter is a regular expression. If the result of the command doesn’t match that expression an exception will be thrown.
- To access the result of the Send-SshCommand cmdlet you can either use the cmdlet output or use one of the session variable properties: LastResult, LastResultLine or AllResult.
To deploy the module, just copy the SshShell folder to one of the PSModulePath values (for Orchestrator server copy it to “SystemRoot%SysWOW64WindowsPowerShellv1.0Modules”) and make sure the dll files are not blocked. The module works with PowerShell 2.0 and require .net framework 3.5.